diff options
author | jim-p <jimp@pfsense.org> | 2017-05-02 11:23:29 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-05-02 11:24:40 -0400 |
commit | 0ab6edbc213b13c14f547c7a3d2f638ce1061967 (patch) | |
tree | 2193c568e5ecc5f904e6260f88078f549db6b7b2 | |
parent | 0f437219858ce0b32b8b3335a63565507a367d7a (diff) | |
download | FreeBSD-ports-0ab6edbc213b13c14f547c7a3d2f638ce1061967.zip FreeBSD-ports-0ab6edbc213b13c14f547c7a3d2f638ce1061967.tar.gz |
Update OpenVPN client export to use remote-cert-tls instead of the deprecated ns-cert-type; Update test to ensure the certificate has the proper EKU before adding the new directive. Fixes #7498
(cherry picked from commit 58ce864d071534ad284f78df6814ff41ae99bcba)
-rw-r--r-- | security/pfSense-pkg-openvpn-client-export/Makefile | 3 | ||||
-rw-r--r-- | security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc | 7 |
2 files changed, 5 insertions, 5 deletions
diff --git a/security/pfSense-pkg-openvpn-client-export/Makefile b/security/pfSense-pkg-openvpn-client-export/Makefile index 88994e9..c6cae94 100644 --- a/security/pfSense-pkg-openvpn-client-export/Makefile +++ b/security/pfSense-pkg-openvpn-client-export/Makefile @@ -1,8 +1,7 @@ # $FreeBSD$ PORTNAME= pfSense-pkg-openvpn-client-export -PORTVERSION= 1.4.2 -PORTREVISION= 2 +PORTVERSION= 1.4.3 CATEGORIES= security MASTER_SITES= # empty DISTFILES= # empty diff --git a/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc b/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc index c0873cb..b733b28 100644 --- a/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc +++ b/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc @@ -347,9 +347,10 @@ EOF; // Extra protection for the server cert, if it's supported if (function_exists("cert_get_purpose")) { if (is_array($server_cert) && ($server_cert['crt'])) { - $purpose = cert_get_purpose($server_cert['crt'], true); - if ($purpose['server'] == 'Yes') { - $conf .= "ns-cert-type server{$nl}"; + $crt_details = openssl_x509_parse(base64_decode($server_cert['crt'])); + $eku_list = explode(',', $crt_details['extensions']['extendedKeyUsage']); + if (in_array('TLS Web Server Authentication', $eku_list)) { + $conf .= "remote-cert-tls server{$nl}"; } } } |