diff options
author | jim-p <jimp@pfsense.org> | 2015-12-07 10:17:13 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2015-12-07 10:18:33 -0500 |
commit | 0e9d4a6dc2cd683c64488be76a9911519079e606 (patch) | |
tree | 22f6d4d49699e5be51aac61f3af7ef6c5084aaea | |
parent | de1a3167620d083353e5a1d9a6e2021775d627ef (diff) | |
download | pfsense-0e9d4a6dc2cd683c64488be76a9911519079e606.zip pfsense-0e9d4a6dc2cd683c64488be76a9911519079e606.tar.gz |
Prioritize and separate server certs for OpenVPN servers to make it more clear they should be using certificates created as Server certificates for this purpose -- it's still valid to use non-server certs but it's not what most people intend to do. Ticket #5602
-rw-r--r-- | src/etc/inc/openvpn.inc | 47 | ||||
-rw-r--r-- | src/usr/local/www/vpn_openvpn_server.php | 19 |
2 files changed, 51 insertions, 15 deletions
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 15133d4..202d6bd 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -192,7 +192,7 @@ function openvpn_build_crl_list() { return($list); } -function openvpn_build_cert_list($include_none = false) { +function openvpn_build_cert_list($include_none = false, $prioritize_server_certs = false) { global $a_cert; if ($include_none) { @@ -201,29 +201,50 @@ function openvpn_build_cert_list($include_none = false) { $list = array(); } + if ($prioritize_server_certs) { + $list[' '] = "===== Server Certificates ====="; + $non_server_list = array(); + $non_server_list[' '] = "===== Non-Server Certificates ====="; + } + foreach ($a_cert as $cert) { - $caname = ""; - $inuse = ""; - $revoked = ""; + $properties = array(); + $propstr = ""; $ca = lookup_ca($cert['caref']); + $purpose = cert_get_purpose($cert['crt'], true); + if ($purpose['server'] == "Yes") { + $properties[] = "Server: Yes"; + } elseif ($prioritize_server_certs) { + $properties[] = "Server: NO"; + } if ($ca) { - $caname = " (CA: {$ca['descr']})"; + $properties[] = "CA: {$ca['descr']}"; } - - if ($pconfig['certref'] == $cert['refid']) { - $selected = "selected"; + if (cert_in_use($cert['refid'])) { + $properties[] = "In Use"; + } + if (is_cert_revoked($cert)) { + $properties[] = "Revoked"; } - if (cert_in_use($cert['refid'])) { - $inuse = " *In Use"; + if (!empty($properties)) { + $propstr = " (" . implode(", ", $properties) . ")"; } - if (is_cert_revoked($cert)) { - $revoked = " *Revoked"; + if ($prioritize_server_certs) { + if ($purpose['server'] == "Yes") { + $list[$cert['refid']] = $cert['descr'] . $propstr; + } else { + $non_server_list[$cert['refid']] = $cert['descr'] . $propstr; + } + } else { + $list[$cert['refid']] = $cert['descr'] . $propstr; } + } - $list[$cert['refid']] = $cert['descr'] . $caname . $inuse . $revoked; + if ($prioritize_server_certs) { + $list = array_merge($list, $non_server_list); } return($list); diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 7a94bec..8861cb7 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -419,6 +419,9 @@ if ($_POST) { /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { + if (empty(trim($pconfig['certref']))) { + $input_errors[] = gettext("The selected certificate is not valid"); + } $reqdfields = explode(" ", "caref certref"); $reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate")); } elseif (!$pconfig['autokey_enable']) { @@ -744,12 +747,24 @@ if($act=="new" || $act=="edit") : )); } + $certhelp = ""; + if (count($a_cert)) { + if (!empty(trim($pconfig['certref']))) { + $purpose = cert_get_purpose($a_cert[$pconfig['certref']]['crt'], true); + if ($purpose['server'] != "Yes") { + $certhelp = gettext("Warning: The previously saved server was not created as an SSL Server certificate and may not work properly."); + } + } + } else { + $certhelp = sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'); + } + $section->addInput(new Form_Select( 'certref', 'Server certificate', $pconfig['certref'], - openvpn_build_cert_list() - ))->setHelp(count($a_cert) ? '':sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')); + openvpn_build_cert_list(false, true) + ))->setHelp($certhelp); $section->addInput(new Form_Select( 'dh_length', |