diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-07-22 13:05:22 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-07-22 13:06:17 -0500 |
commit | 14ec7c4bf878e94334f00cdf47873b6396d1b0da (patch) | |
tree | ca41eb0dbe9eeba12bfc5dcd5a107e2c2c1e2728 | |
parent | fcb477c057a23706dc84b0b27deb2f411226faa0 (diff) | |
download | pfsense-14ec7c4bf878e94334f00cdf47873b6396d1b0da.zip pfsense-14ec7c4bf878e94334f00cdf47873b6396d1b0da.tar.gz |
write out built-in CRLs for strongswan
-rw-r--r-- | etc/inc/vpn.inc | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index aaf7c09..fb477e4 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -151,6 +151,7 @@ function vpn_ipsec_configure($restart = false) { $certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; $keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; + $crlpath = "{$g['varetc_path']}/ipsec/ipsec.d/crls"; mwexec("/sbin/ifconfig enc0 up"); set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); @@ -171,8 +172,8 @@ function vpn_ipsec_configure($restart = false) { if (!is_dir($keypath)) { mkdir($keypath); } - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) { - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); + if (!is_dir($crlpath)) { + mkdir($crlpath); } if (!is_dir($certpath)) { mkdir($certpath); @@ -584,6 +585,21 @@ EOD; unset($cert); } } + + /* write out CRL files */ + if (is_array($config['crl']) && count($config['crl'])) { + foreach ($config['crl'] as $crl) { + if (!isset($crl['text'])) { + log_error(sprintf(gettext("Error: Invalid CRL data for %s"), $crl['descr'])); + continue; + } + $fpath = "{$crlpath}/{$crl['refid']}.crl"; + if (!@file_put_contents($fpath, base64_decode($crl['text']))) { + log_error(sprintf(gettext("Error: Cannot write IPsec CRL file for %s"), $crl['descr'])); + continue; + } + } + } $pskconf = ""; |