summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2017-05-02 11:23:29 -0400
committerjim-p <jimp@pfsense.org>2017-05-02 11:24:40 -0400
commit0ab6edbc213b13c14f547c7a3d2f638ce1061967 (patch)
tree2193c568e5ecc5f904e6260f88078f549db6b7b2
parent0f437219858ce0b32b8b3335a63565507a367d7a (diff)
downloadFreeBSD-ports-0ab6edbc213b13c14f547c7a3d2f638ce1061967.zip
FreeBSD-ports-0ab6edbc213b13c14f547c7a3d2f638ce1061967.tar.gz
Update OpenVPN client export to use remote-cert-tls instead of the deprecated ns-cert-type; Update test to ensure the certificate has the proper EKU before adding the new directive. Fixes #7498
(cherry picked from commit 58ce864d071534ad284f78df6814ff41ae99bcba)
-rw-r--r--security/pfSense-pkg-openvpn-client-export/Makefile3
-rw-r--r--security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc7
2 files changed, 5 insertions, 5 deletions
diff --git a/security/pfSense-pkg-openvpn-client-export/Makefile b/security/pfSense-pkg-openvpn-client-export/Makefile
index 88994e9..c6cae94 100644
--- a/security/pfSense-pkg-openvpn-client-export/Makefile
+++ b/security/pfSense-pkg-openvpn-client-export/Makefile
@@ -1,8 +1,7 @@
# $FreeBSD$
PORTNAME= pfSense-pkg-openvpn-client-export
-PORTVERSION= 1.4.2
-PORTREVISION= 2
+PORTVERSION= 1.4.3
CATEGORIES= security
MASTER_SITES= # empty
DISTFILES= # empty
diff --git a/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc b/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
index c0873cb..b733b28 100644
--- a/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
+++ b/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
@@ -347,9 +347,10 @@ EOF;
// Extra protection for the server cert, if it's supported
if (function_exists("cert_get_purpose")) {
if (is_array($server_cert) && ($server_cert['crt'])) {
- $purpose = cert_get_purpose($server_cert['crt'], true);
- if ($purpose['server'] == 'Yes') {
- $conf .= "ns-cert-type server{$nl}";
+ $crt_details = openssl_x509_parse(base64_decode($server_cert['crt']));
+ $eku_list = explode(',', $crt_details['extensions']['extendedKeyUsage']);
+ if (in_array('TLS Web Server Authentication', $eku_list)) {
+ $conf .= "remote-cert-tls server{$nl}";
}
}
}
OpenPOWER on IntegriCloud