diff options
| author | jim-p <jimp@pfsense.org> | 2011-10-10 17:18:22 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2011-10-27 10:29:38 -0400 |
| commit | 77ed2f4c9f67af9c041ae5de3dcf82455238fdb7 (patch) | |
| tree | bb547a99f575145841359005adbb00039e5c1036 /etc/inc/openvpn.inc | |
| parent | 3f9c177572d5d2c2995b5e6a81679fd5bb7ce6ec (diff) | |
| download | pfsense-77ed2f4c9f67af9c041ae5de3dcf82455238fdb7.zip pfsense-77ed2f4c9f67af9c041ae5de3dcf82455238fdb7.tar.gz | |
Add GUI option to limit the certificate depth allowed when OpenVPN clients are connecting.
Diffstat (limited to 'etc/inc/openvpn.inc')
| -rw-r--r-- | etc/inc/openvpn.inc | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index ce97469..b34d442 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -71,6 +71,14 @@ $openvpn_dev_mode = array("tun", "tap"); $openvpn_dh_lengths = array( 1024, 2048, 4096 ); +$openvpn_cert_depths = array( + 1 => "One (Client+Server)", + 2 => "Two (Client+Intermediate+Server)", + 3 => "Three (Client+2xIntermediate+Server)", + 4 => "Four (Client+3xIntermediate+Server)", + 5 => "Five (Client+4xIntermediate+Server)" +); + $openvpn_server_modes = array( 'p2p_tls' => "Peer to Peer ( SSL/TLS )", 'p2p_shared_key' => "Peer to Peer ( Shared Key )", @@ -430,6 +438,16 @@ function openvpn_reconfigure($mode, $settings) { } break; } + if (is_numeric($settings['cert_depth'])) { + $sed = ""; + $cert = lookup_cert($settings['certref']); + $servercn = cert_get_cn($cert['crt']); + $sed .= "\$server_cn = \"{$servercn}\";\\\n"; + $sed .= "\$allowed_depth = {$settings['cert_depth']};\\\n"; + mwexec("/bin/cat /etc/inc/openvpn.tls-verify.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php"); + mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php"); + $conf .= "tls-verify {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php\n"; + } // The local port to listen on $conf .= "lport {$settings['local_port']}\n"; |
