)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"af54ff9c8574fd1cfa0ce0380eaf91af5350884d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"96c7c012_2d2bd767","updated":"2023-12-13 14:29:01.000000000","message":"Did some basic testing with both OpenSSL and mbedTLS. Looks good to me.","commit_id":"f42e6a4ae4a7ad04e17a4ae2e86c9c0b06eb4fbe"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"9229c1e6c3924a0478dd6d29a5832779cb31ed3a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"fadf8b07_6e83bf87","updated":"2024-01-02 16:45:08.000000000","message":"So we have to decide how to go about this. The current patch only So just exporting and providing","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"0a6b3c8ae3298f7d00864ae15a87a3a7e27cd73e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"7635ed75_d493573e","updated":"2023-12-18 17:42:02.000000000","message":"Tested, does not crash, but only exports level 0 cert (level 1 variable is set, but no such file exists).","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"71d3e97fb31adf54ab7b9642bc8aec6b4468e8c1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"ff9de142_e280e785","updated":"2024-01-06 15:31:06.000000000","message":"OK, this seems to be doing what the (old) manpage leads me to expect\n\n- for each level of certificates, --tls-verify is called once (so \"1x for level 0, 1x for level 1\" if no intermediate CAs are used) - this was not clear to me initially, that it\u0027s indeed called multiple times.\n- depending on the level of call, exactly one `$peer_cert_\u003cn\u003e` env variable is set, and that certificate file exists\n- on level 0, `$peer_cert` is set as well\n- indeed, different certs show up in these files\n\nThe old code only ever sets `peer_cert`, though, independent of the level, so I\u0027m not sure having a (single) `$peer_cert_\u003cn\u003e` variable is that useful - if it\u0027s only one, `peer_cert` is maybe good enough?\n\nSo we could move onward, or move to \"always `$peer_cert`, no `_\u003cn\u003e`...","commit_id":"bba08f3a4d8fdd869e885866726837a382023c04"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"e6f966322b0b44e63ff298652c367840ef9237fc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"306175bd_bf2e52b3","updated":"2024-01-13 12:11:20.000000000","message":"As much as it pains me, this needs to do another round - it now calls \"unlink(NULL)\" if the feature is not active.  GHA/ASAN on ubuntu 20 found this.","commit_id":"5b49bee15c5bcac68e40d1e2aa214662454e1459"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"d63ffba900bf6cf435499de41291251626c0e9d6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"1b43d532_ab47c2dd","updated":"2024-01-12 18:19:01.000000000","message":"as simple as it gets now :-) - I like that.","commit_id":"5b49bee15c5bcac68e40d1e2aa214662454e1459"}],"doc/man-sections/script-options.rst":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"e7a3733f0f1f96928ab0afaccc62a220138c6536","unresolved":true,"context_lines":[{"line_number":423,"context_line":"  See the `Environmental Variables`_ section below for additional"},{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--export-peer-cert-path dir"},{"line_number":427,"context_line":"  Adds a an environment variables ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f968f88_17232d6f","line":426,"updated":"2023-12-06 12:57:27.000000000","message":"so this is a new option, which is incompatible and will break people\u0027s config (if they use the old option).  So we should go for the same option name \"--tls-export-cert\" - or alternatively provide a Changes.rst explaining the reasons.","commit_id":"549b9cb9e1a55a010100802c689336a067d21d58"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"8f2e3e763e648678dcbc804adbe9e1ba4bae2e0a","unresolved":false,"context_lines":[{"line_number":423,"context_line":"  See the `Environmental Variables`_ section below for additional"},{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--export-peer-cert-path dir"},{"line_number":427,"context_line":"  Adds a an environment variables ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"}],"source_content_type":"text/x-rst","patch_set":1,"id":"337ef9e3_0f8bbba4","line":426,"in_reply_to":"3f968f88_17232d6f","updated":"2023-12-06 14:04:25.000000000","message":"Done","commit_id":"549b9cb9e1a55a010100802c689336a067d21d58"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"cc25eb22762b0e2b8c47a5b95a37810310f6e0c7","unresolved":true,"context_lines":[{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--tls-export-cert-path dir"},{"line_number":427,"context_line":"  Adds a an environment variables ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"},{"line_number":430,"context_line":"  hook to verify the certificate."}],"source_content_type":"text/x-rst","patch_set":2,"id":"738f9728_f9eb156f","line":427,"updated":"2023-12-06 17:30:24.000000000","message":"Remove \"a\"","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"eb178e043c90d76d29e17c974b83ad627d92e4ec","unresolved":false,"context_lines":[{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--tls-export-cert-path dir"},{"line_number":427,"context_line":"  Adds a an environment variables ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"},{"line_number":430,"context_line":"  hook to verify the certificate."}],"source_content_type":"text/x-rst","patch_set":2,"id":"dccfc964_cfd463f3","line":427,"in_reply_to":"738f9728_f9eb156f","updated":"2023-12-07 11:27:23.000000000","message":"Done","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"bcfc65ccf3b2dd1ebda0c22e5ca9cb772bd6f1b8","unresolved":true,"context_lines":[{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--tls-export-cert-path dir"},{"line_number":427,"context_line":"  Adds an environment variables ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"},{"line_number":430,"context_line":"  hook to verify the certificate."}],"source_content_type":"text/x-rst","patch_set":4,"id":"36b80616_1a510d1a","line":427,"updated":"2023-12-12 14:39:26.000000000","message":"\"variable\" or remove \"an\"","commit_id":"2211fcd0a7c0c52bf4bcfe814b65464c5bfde4ab"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"263810e11b6f39f8f04d89f442542198d36c08f4","unresolved":false,"context_lines":[{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--tls-export-cert-path dir"},{"line_number":427,"context_line":"  Adds an environment variables ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"},{"line_number":430,"context_line":"  hook to verify the certificate."}],"source_content_type":"text/x-rst","patch_set":4,"id":"f51f4a78_549de142","line":427,"in_reply_to":"36b80616_1a510d1a","updated":"2023-12-12 18:24:05.000000000","message":"Done","commit_id":"2211fcd0a7c0c52bf4bcfe814b65464c5bfde4ab"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"bcfc65ccf3b2dd1ebda0c22e5ca9cb772bd6f1b8","unresolved":true,"context_lines":[{"line_number":777,"context_line":"    the path to the current peer certificate to be verified in PEM format"},{"line_number":778,"context_line":"    where ``n`` is the verification level."},{"line_number":779,"context_line":""},{"line_number":780,"context_line":":code:`peer_cert` identical to `peer_cert_0` for compatibility with older"},{"line_number":781,"context_line":"    versions."},{"line_number":782,"context_line":""},{"line_number":783,"context_line":":code:`proto`"}],"source_content_type":"text/x-rst","patch_set":4,"id":"42a94055_6568f3e0","line":780,"updated":"2023-12-12 14:39:26.000000000","message":"Missing line break before \"identical\". Breaks formatting","commit_id":"2211fcd0a7c0c52bf4bcfe814b65464c5bfde4ab"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"263810e11b6f39f8f04d89f442542198d36c08f4","unresolved":false,"context_lines":[{"line_number":777,"context_line":"    the path to the current peer certificate to be verified in PEM format"},{"line_number":778,"context_line":"    where ``n`` is the verification level."},{"line_number":779,"context_line":""},{"line_number":780,"context_line":":code:`peer_cert` identical to `peer_cert_0` for compatibility with older"},{"line_number":781,"context_line":"    versions."},{"line_number":782,"context_line":""},{"line_number":783,"context_line":":code:`proto`"}],"source_content_type":"text/x-rst","patch_set":4,"id":"eed49c31_f5661e3b","line":780,"in_reply_to":"42a94055_6568f3e0","updated":"2023-12-12 18:24:05.000000000","message":"Done","commit_id":"2211fcd0a7c0c52bf4bcfe814b65464c5bfde4ab"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"0a6b3c8ae3298f7d00864ae15a87a3a7e27cd73e","unresolved":true,"context_lines":[{"line_number":423,"context_line":"  See the `Environmental Variables`_ section below for additional"},{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--tls-export-cert-path dir"},{"line_number":427,"context_line":"  Adds an environment variable ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"}],"source_content_type":"text/x-rst","patch_set":6,"id":"bff18d9b_f279e622","line":426,"updated":"2023-12-18 17:42:02.000000000","message":"the manpage calls the option \"tls-export-cert-path\", while options.c checks for \"tls-export-cert\" (only, no \"new option and also old option for compat reasons\") - this needs to be resolved (and keeping the old option name everywhere is better for not breaking people\u0027s configs - so the documentation needs to be fixed)","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"9229c1e6c3924a0478dd6d29a5832779cb31ed3a","unresolved":false,"context_lines":[{"line_number":423,"context_line":"  See the `Environmental Variables`_ section below for additional"},{"line_number":424,"context_line":"  parameters passed as environmental variables."},{"line_number":425,"context_line":""},{"line_number":426,"context_line":"--tls-export-cert-path dir"},{"line_number":427,"context_line":"  Adds an environment variable ``peer_cert_{x}`` (and an alias"},{"line_number":428,"context_line":"  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the"},{"line_number":429,"context_line":"  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin"}],"source_content_type":"text/x-rst","patch_set":6,"id":"f8e03d25_01b36152","line":426,"in_reply_to":"bff18d9b_f279e622","updated":"2024-01-02 16:45:08.000000000","message":"Ooops missed that one.","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"}],"src/openvpn/init.c":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"0a6b3c8ae3298f7d00864ae15a87a3a7e27cd73e","unresolved":true,"context_lines":[{"line_number":3336,"context_line":"    to.auth_user_pass_verify_script_via_file \u003d options-\u003eauth_user_pass_verify_script_via_file;"},{"line_number":3337,"context_line":"    to.client_crresponse_script \u003d options-\u003eclient_crresponse_script;"},{"line_number":3338,"context_line":"    to.tmp_dir \u003d options-\u003etmp_dir;"},{"line_number":3339,"context_line":"    to.export_peer_cert_dir \u003d options-\u003etls_export_peer_cert_path;"},{"line_number":3340,"context_line":"    if (options-\u003eccd_exclusive)"},{"line_number":3341,"context_line":"    {"},{"line_number":3342,"context_line":"        to.client_config_dir_exclusive \u003d options-\u003eclient_config_dir;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"189e173c_161fa78f","line":3339,"updated":"2023-12-18 17:42:02.000000000","message":"why call this \"_dir\" in the to, and \"_path\" in options-\u003e ?","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"9229c1e6c3924a0478dd6d29a5832779cb31ed3a","unresolved":false,"context_lines":[{"line_number":3336,"context_line":"    to.auth_user_pass_verify_script_via_file \u003d options-\u003eauth_user_pass_verify_script_via_file;"},{"line_number":3337,"context_line":"    to.client_crresponse_script \u003d options-\u003eclient_crresponse_script;"},{"line_number":3338,"context_line":"    to.tmp_dir \u003d options-\u003etmp_dir;"},{"line_number":3339,"context_line":"    to.export_peer_cert_dir \u003d options-\u003etls_export_peer_cert_path;"},{"line_number":3340,"context_line":"    if (options-\u003eccd_exclusive)"},{"line_number":3341,"context_line":"    {"},{"line_number":3342,"context_line":"        to.client_config_dir_exclusive \u003d options-\u003eclient_config_dir;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"e88dae53_952dc331","line":3339,"in_reply_to":"189e173c_161fa78f","updated":"2024-01-02 16:45:08.000000000","message":"Fixed and now using always _dir","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"}],"src/openvpn/ssl_verify.c":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"cc25eb22762b0e2b8c47a5b95a37810310f6e0c7","unresolved":true,"context_lines":[{"line_number":463,"context_line":"{"},{"line_number":464,"context_line":"    char envname[64];"},{"line_number":465,"context_line":"    struct gc_arena gc \u003d gc_new();"},{"line_number":466,"context_line":"    /* export the certificate itself as pem when the enabled */"},{"line_number":467,"context_line":"    openvpn_snprintf(envname, sizeof(envname), \"peer_cert_%d\", cert_depth);"},{"line_number":468,"context_line":"    setenv_str(es, envname, pem_export_fn);"},{"line_number":469,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"dd7a5b9a_bf660274","line":466,"updated":"2023-12-06 17:30:24.000000000","message":"missing words?","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"eb178e043c90d76d29e17c974b83ad627d92e4ec","unresolved":false,"context_lines":[{"line_number":463,"context_line":"{"},{"line_number":464,"context_line":"    char envname[64];"},{"line_number":465,"context_line":"    struct gc_arena gc \u003d gc_new();"},{"line_number":466,"context_line":"    /* export the certificate itself as pem when the enabled */"},{"line_number":467,"context_line":"    openvpn_snprintf(envname, sizeof(envname), \"peer_cert_%d\", cert_depth);"},{"line_number":468,"context_line":"    setenv_str(es, envname, pem_export_fn);"},{"line_number":469,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"2e49f9a9_cc253bc2","line":466,"in_reply_to":"dd7a5b9a_bf660274","updated":"2023-12-07 11:27:23.000000000","message":"Done","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"cc25eb22762b0e2b8c47a5b95a37810310f6e0c7","unresolved":true,"context_lines":[{"line_number":474,"context_line":"        setenv_str(es, \"peer_cert\", pem_export_fn);"},{"line_number":475,"context_line":"    }"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"    bool ret \u003d true;"},{"line_number":478,"context_line":""},{"line_number":479,"context_line":"    ret \u003d (backend_x509_write_pem(peer_cert, pem_export_fn) \u003d\u003d SUCCESS);"},{"line_number":480,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"f487e7c8_793bcb7e","line":477,"updated":"2023-12-06 17:30:24.000000000","message":"Can combine with the next line.","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"eb178e043c90d76d29e17c974b83ad627d92e4ec","unresolved":false,"context_lines":[{"line_number":474,"context_line":"        setenv_str(es, \"peer_cert\", pem_export_fn);"},{"line_number":475,"context_line":"    }"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"    bool ret \u003d true;"},{"line_number":478,"context_line":""},{"line_number":479,"context_line":"    ret \u003d (backend_x509_write_pem(peer_cert, pem_export_fn) \u003d\u003d SUCCESS);"},{"line_number":480,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"99393580_9e01f59d","line":477,"in_reply_to":"f487e7c8_793bcb7e","updated":"2023-12-07 11:27:23.000000000","message":"Done","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"cc25eb22762b0e2b8c47a5b95a37810310f6e0c7","unresolved":true,"context_lines":[{"line_number":599,"context_line":"verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)"},{"line_number":600,"context_line":"{"},{"line_number":601,"context_line":"    /* need to define these variables here so goto cleanup will always have"},{"line_number":602,"context_line":"     * these variables defined */"},{"line_number":603,"context_line":"    result_t ret \u003d FAILURE;"},{"line_number":604,"context_line":"    struct gc_arena gc \u003d gc_new();"},{"line_number":605,"context_line":"    const char *pem_export_fn \u003d NULL;"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"2e703085_bdc2ffba","line":602,"updated":"2023-12-06 17:30:24.000000000","message":"can replace repetition of \"these variables\" with \"them\"","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"eb178e043c90d76d29e17c974b83ad627d92e4ec","unresolved":false,"context_lines":[{"line_number":599,"context_line":"verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)"},{"line_number":600,"context_line":"{"},{"line_number":601,"context_line":"    /* need to define these variables here so goto cleanup will always have"},{"line_number":602,"context_line":"     * these variables defined */"},{"line_number":603,"context_line":"    result_t ret \u003d FAILURE;"},{"line_number":604,"context_line":"    struct gc_arena gc \u003d gc_new();"},{"line_number":605,"context_line":"    const char *pem_export_fn \u003d NULL;"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"9626e926_96849b76","line":602,"in_reply_to":"2e703085_bdc2ffba","updated":"2023-12-07 11:27:23.000000000","message":"Done","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"0a6b3c8ae3298f7d00864ae15a87a3a7e27cd73e","unresolved":true,"context_lines":[{"line_number":731,"context_line":""},{"line_number":732,"context_line":"    session-\u003everify_maxlevel \u003d max_int(session-\u003everify_maxlevel, cert_depth);"},{"line_number":733,"context_line":""},{"line_number":734,"context_line":"    if (opt-\u003eexport_peer_cert_dir)"},{"line_number":735,"context_line":"    {"},{"line_number":736,"context_line":"        pem_export_fn \u003d platform_create_temp_file(opt-\u003eexport_peer_cert_dir,"},{"line_number":737,"context_line":"                                                  \"pef\", \u0026gc);"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"97340248_881cd351","line":734,"updated":"2023-12-18 17:42:02.000000000","message":"Something is not right here.  So the function does set up multiple environment variables, but only one file is ever created...\n\nI do a \"ls -l $peer_cert_2 $peer_cert_1 $peer_cert0\" in my tls-verify-script, and this is what I see\n\npeer_cert_1\u003d/var/tmp/openvpn_pef_6a5f2055b342424a15139e5787303c57.tmp\npeer_cert_0\u003d/var/tmp/openvpn_pef_18e5d27eafdb9fb54c12a8c446b56c76.tmp\npeer_cert\u003d/var/tmp/openvpn_pef_18e5d27eafdb9fb54c12a8c446b56c76.tmp\n-rw------- 1 root root 1830 Dec 18 18:39 /var/tmp/openvpn_pef_18e5d27eafdb9fb54c12a8c446b56c76.tmp\n\n... only one file.\n\nFor \"multiple files\", I would have expected to find the filenames in an array so they can all be deleted at the end (and no dangling files), but if only one file is ever created, no array is needed...","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"9229c1e6c3924a0478dd6d29a5832779cb31ed3a","unresolved":false,"context_lines":[{"line_number":731,"context_line":""},{"line_number":732,"context_line":"    session-\u003everify_maxlevel \u003d max_int(session-\u003everify_maxlevel, cert_depth);"},{"line_number":733,"context_line":""},{"line_number":734,"context_line":"    if (opt-\u003eexport_peer_cert_dir)"},{"line_number":735,"context_line":"    {"},{"line_number":736,"context_line":"        pem_export_fn \u003d platform_create_temp_file(opt-\u003eexport_peer_cert_dir,"},{"line_number":737,"context_line":"                                                  \"pef\", \u0026gc);"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"6cb0e20f_1acc6fec","line":734,"in_reply_to":"2e6bc2d2_f0a6cbd6","updated":"2024-01-02 16:45:08.000000000","message":"This version of the patch now removes the environment variable together with the file. That is not as intrusive and should give at least backwards compatibility for now. The better solution is more complicated and requires modification to env handling (or even lot bigger refactoring) and is moved to follow up patches.","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"2e3e89e8b8455f9fd6874e83aa986000f06d3736","unresolved":true,"context_lines":[{"line_number":731,"context_line":""},{"line_number":732,"context_line":"    session-\u003everify_maxlevel \u003d max_int(session-\u003everify_maxlevel, cert_depth);"},{"line_number":733,"context_line":""},{"line_number":734,"context_line":"    if (opt-\u003eexport_peer_cert_dir)"},{"line_number":735,"context_line":"    {"},{"line_number":736,"context_line":"        pem_export_fn \u003d platform_create_temp_file(opt-\u003eexport_peer_cert_dir,"},{"line_number":737,"context_line":"                                                  \"pef\", \u0026gc);"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"2e6bc2d2_f0a6cbd6","line":734,"in_reply_to":"97340248_881cd351","updated":"2023-12-20 11:57:07.000000000","message":"So I tried to understand why it seemed to work in my testing. It turns out that I only ever looked at the cert indicated by $depth argument to the hook. So indeed all the certs are exported correctly, but the problem is that after the depth 1 hook is run the file indicated by peer_cert_1 is deleted already. So the behavior is not very useful.","commit_id":"b9173868798d713c03e7e45069be171fc4859f7c"}],"src/openvpn/ssl_verify_mbedtls.c":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"cc25eb22762b0e2b8c47a5b95a37810310f6e0c7","unresolved":true,"context_lines":[{"line_number":222,"context_line":"backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename)"},{"line_number":223,"context_line":"{"},{"line_number":224,"context_line":"    /* mbed TLS does not make it easy to write a certificate in PEM format."},{"line_number":225,"context_line":"     * The only way to is directly access the DER encoded raw certificate"},{"line_number":226,"context_line":"     * and PEM encode it ourselves */"},{"line_number":227,"context_line":""},{"line_number":228,"context_line":"    struct gc_arena gc \u003d gc_new();"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"74783133_a96d6da5","line":225,"updated":"2023-12-06 17:30:24.000000000","message":"\"to is\" -\u003e \"is to\"","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"eb178e043c90d76d29e17c974b83ad627d92e4ec","unresolved":false,"context_lines":[{"line_number":222,"context_line":"backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename)"},{"line_number":223,"context_line":"{"},{"line_number":224,"context_line":"    /* mbed TLS does not make it easy to write a certificate in PEM format."},{"line_number":225,"context_line":"     * The only way to is directly access the DER encoded raw certificate"},{"line_number":226,"context_line":"     * and PEM encode it ourselves */"},{"line_number":227,"context_line":""},{"line_number":228,"context_line":"    struct gc_arena gc \u003d gc_new();"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"32a92534_6ee0a5db","line":225,"in_reply_to":"74783133_a96d6da5","updated":"2023-12-07 11:27:23.000000000","message":"Done","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"cc25eb22762b0e2b8c47a5b95a37810310f6e0c7","unresolved":true,"context_lines":[{"line_number":227,"context_line":""},{"line_number":228,"context_line":"    struct gc_arena gc \u003d gc_new();"},{"line_number":229,"context_line":"    /* just do a very loose upper bound for the base64 based PEM encoding"},{"line_number":230,"context_line":"     * using needing 3 times the space for the base64 and 100 bytes for the"},{"line_number":231,"context_line":"     * headers and footer */"},{"line_number":232,"context_line":"    struct buffer pem \u003d alloc_buf_gc(cert-\u003eraw.len * 3 + 100, \u0026gc);"},{"line_number":233,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"b48e3170_e0e585b4","line":230,"updated":"2023-12-06 17:30:24.000000000","message":"drop one of \"using needing\"","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"eb178e043c90d76d29e17c974b83ad627d92e4ec","unresolved":false,"context_lines":[{"line_number":227,"context_line":""},{"line_number":228,"context_line":"    struct gc_arena gc \u003d gc_new();"},{"line_number":229,"context_line":"    /* just do a very loose upper bound for the base64 based PEM encoding"},{"line_number":230,"context_line":"     * using needing 3 times the space for the base64 and 100 bytes for the"},{"line_number":231,"context_line":"     * headers and footer */"},{"line_number":232,"context_line":"    struct buffer pem \u003d alloc_buf_gc(cert-\u003eraw.len * 3 + 100, \u0026gc);"},{"line_number":233,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"85213291_05de576e","line":230,"in_reply_to":"b48e3170_e0e585b4","updated":"2023-12-07 11:27:23.000000000","message":"Done","commit_id":"a341d240767252d81f5a1925e6d27bfdc9188784"}]}