diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-07-22 13:05:22 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-07-22 13:05:22 -0500 |
commit | 5bded426abd661d79d4ece3960a4f4fa90bce811 (patch) | |
tree | 1e532f4b5537742614bece8de4cc10734e2d3683 | |
parent | 8c378f3fd259138657d246c76e00214eebb9090f (diff) | |
download | pfsense-5bded426abd661d79d4ece3960a4f4fa90bce811.zip pfsense-5bded426abd661d79d4ece3960a4f4fa90bce811.tar.gz |
write out built-in CRLs for strongswan
-rw-r--r-- | etc/inc/vpn.inc | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index aaf7c09..fb477e4 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -151,6 +151,7 @@ function vpn_ipsec_configure($restart = false) { $certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; $keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; + $crlpath = "{$g['varetc_path']}/ipsec/ipsec.d/crls"; mwexec("/sbin/ifconfig enc0 up"); set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); @@ -171,8 +172,8 @@ function vpn_ipsec_configure($restart = false) { if (!is_dir($keypath)) { mkdir($keypath); } - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) { - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); + if (!is_dir($crlpath)) { + mkdir($crlpath); } if (!is_dir($certpath)) { mkdir($certpath); @@ -584,6 +585,21 @@ EOD; unset($cert); } } + + /* write out CRL files */ + if (is_array($config['crl']) && count($config['crl'])) { + foreach ($config['crl'] as $crl) { + if (!isset($crl['text'])) { + log_error(sprintf(gettext("Error: Invalid CRL data for %s"), $crl['descr'])); + continue; + } + $fpath = "{$crlpath}/{$crl['refid']}.crl"; + if (!@file_put_contents($fpath, base64_decode($crl['text']))) { + log_error(sprintf(gettext("Error: Cannot write IPsec CRL file for %s"), $crl['descr'])); + continue; + } + } + } $pskconf = ""; |