diff options
| author | Chris Buechler <cmb@pfsense.org> | 2015-07-22 15:03:20 -0500 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2015-07-22 15:03:20 -0500 |
| commit | 7361628b2a1a93742f167ed34caae1087df804ec (patch) | |
| tree | 5e59dc6bc079b169610c8b776b07f7dce95244a8 | |
| parent | cc31dc7a19c2323d2538c2575024ed7d08bbabc4 (diff) | |
| download | pfsense-7361628b2a1a93742f167ed34caae1087df804ec.zip pfsense-7361628b2a1a93742f167ed34caae1087df804ec.tar.gz | |
Add IPsec advanced option for strict CRL checking
| -rw-r--r-- | etc/inc/vpn.inc | 4 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 16 |
2 files changed, 20 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index fb477e4..688e9ca 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -713,6 +713,10 @@ EOD; $ipsecconf .= "# This file is automatically generated. Do not edit\n"; $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; + + if (isset($config['ipsec']['strictcrlpolicy'])) { + $ipsecconf .= "\tstrictcrlpolicy = yes \n"; + } if (!isset($config['ipsec']['noshuntlaninterfaces'])) { if ($config['interfaces']['lan']) { diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index 025820b..a7f84a4 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -46,6 +46,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) { $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; } $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']); +$pconfig['strictcrlpolicy'] = isset($config['ipsec']['strictcrlpolicy']); $pconfig['makebeforebreak'] = isset($config['ipsec']['makebeforebreak']); $pconfig['noshuntlaninterfaces'] = isset($config['ipsec']['noshuntlaninterfaces']); $pconfig['compression'] = isset($config['ipsec']['compression']); @@ -156,6 +157,12 @@ if ($_POST) { $needsrestart = true; unset($config['ipsec']['unityplugin']); } + + if ($_POST['strictcrlpolicy'] == "yes") { + $config['ipsec']['strictcrlpolicy'] = true; + } else { + unset($config['ipsec']['strictcrlpolicy']); + } if($_POST['makebeforebreak'] == "yes") { $config['ipsec']['makebeforebreak'] = true; @@ -378,6 +385,15 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Strict CRL Checking"); ?></td> + <td width="78%" class="vtable"> + <input name="strictcrlpolicy" type="checkbox" id="strictcrlpolicy" value="yes" <?php if ($pconfig['strictcrlpolicy'] == true) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Enable strict Certificate Revocation List checking"); ?></strong> + <br /> + <?=gettext("Check this to require availability of a fresh CRL for peer authentication based on RSA signatures to succeed."); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Make before Break"); ?></td> <td width="78%" class="vtable"> <input name="makebeforebreak" type="checkbox" id="makebeforebreak" value="yes" <?php if ($pconfig['makebeforebreak'] == true) echo "checked=\"checked\""; ?> /> |
