Limit the auth methods where "My Certificate Authority" is displayed/saved for

mobile clients. Fixes #5323.

1 files changed, 12 insertions, 4 deletions

diff --git a/src/usr/local/www/vpn_ipsec_phase1.php b/src/usr/local/www/vpn_ipsec_phase1.php
index 5a9b37f..5fda34b 100644
--- a/src/usr/local/www/vpn_ipsec_phase1.php
+++ b/src/usr/local/www/vpn_ipsec_phase1.php
@@ -199,10 +199,11 @@ if ($_POST) {
 	$method = $pconfig['authentication_method'];
 	// Unset ca and cert if not required to avoid storing in config
 	if ($method == "pre_shared_key" || $method == "xauth_psk_server") {
-		unset($pconfig['caref']);
 		unset($pconfig['certref']);
 	}
-
+	if ($method != "rsasig" && $method != "xauth_rsa_server" && $method != "eap-tls") {
+		unset($pconfig['caref']);
+	}
 	// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
 	// For RSA methods, require the CA/Cert.
 	switch ($method) {
@@ -766,7 +767,7 @@ $section->addInput(new Form_Select(
 
 $section->addInput(new Form_Select(
 	'caref',
-	'My Certificate Authority',
+	'Peer Certificate Authority',
 	$pconfig['caref'],
 	build_ca_list()
 ))->setHelp('Select a certificate authority previously configured in the Certificate Manager.');
@@ -946,8 +947,15 @@ events.push(function(){
 		switch ($('#authentication_method').val()) {
 			case 'eap-mschapv2':
 			case 'eap-radius':
-			case 'eap-tls':
 			case 'hybrid_rsa_server':
+				hideInput('pskey', true);
+				hideClass('peeridgroup', false);
+				hideInput('certref', false);
+				hideInput('caref', true);
+				disableInput('certref', false);
+				disableInput('caref', true);
+				break;
+			case 'eap-tls':
 			case 'xauth_rsa_server':
 			case 'rsasig':
 				hideInput('pskey', true);