Update OpenVPN client export to use remote-cert-tls instead of the deprecated ns-cert-type; Update test to ensure the certificate has the proper EKU before adding the new directive. Fixes #7498

(cherry picked from commit 58ce864d071534ad284f78df6814ff41ae99bcba)
(cherry picked from commit 0ab6edbc213b13c14f547c7a3d2f638ce1061967)

2 files changed, 5 insertions, 5 deletions

diff --git a/security/pfSense-pkg-openvpn-client-export/Makefile b/security/pfSense-pkg-openvpn-client-export/Makefile
index 88994e9..c6cae94 100644
--- a/security/pfSense-pkg-openvpn-client-export/Makefile
+++ b/security/pfSense-pkg-openvpn-client-export/Makefile
@@ -1,8 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	pfSense-pkg-openvpn-client-export
-PORTVERSION=	1.4.2
-PORTREVISION=	2
+PORTVERSION=	1.4.3
 CATEGORIES=	security
 MASTER_SITES=	# empty
 DISTFILES=	# empty
diff --git a/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc b/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
index c0873cb..b733b28 100644
--- a/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
+++ b/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
@@ -347,9 +347,10 @@ EOF;
 	// Extra protection for the server cert, if it's supported
 	if (function_exists("cert_get_purpose")) {
 		if (is_array($server_cert) && ($server_cert['crt'])) {
-			$purpose = cert_get_purpose($server_cert['crt'], true);
-			if ($purpose['server'] == 'Yes') {
-				$conf .= "ns-cert-type server{$nl}";
+			$crt_details = openssl_x509_parse(base64_decode($server_cert['crt']));
+			$eku_list = explode(',', $crt_details['extensions']['extendedKeyUsage']);
+			if (in_array('TLS Web Server Authentication', $eku_list)) {
+				$conf .= "remote-cert-tls server{$nl}";
 			}
 		}
 	}