diff options
author | jim-p <jimp@pfsense.org> | 2011-10-10 17:18:22 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-10-27 10:28:01 -0400 |
commit | 98963f2771f4ee7ac6c278a1b80f5c5e7ebfaa7d (patch) | |
tree | 35dc3a7fff9b3dce2f640519a8898b810495e573 /etc/inc/openvpn.inc | |
parent | 87b4deb2b2dae9013e6aa0fe490d6a5a04a27894 (diff) | |
download | pfsense-98963f2771f4ee7ac6c278a1b80f5c5e7ebfaa7d.zip pfsense-98963f2771f4ee7ac6c278a1b80f5c5e7ebfaa7d.tar.gz |
Add GUI option to limit the certificate depth allowed when OpenVPN clients are connecting.
Diffstat (limited to 'etc/inc/openvpn.inc')
-rw-r--r-- | etc/inc/openvpn.inc | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 74b640a..7408d50 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -71,6 +71,14 @@ $openvpn_dev_mode = array("tun", "tap"); $openvpn_dh_lengths = array( 1024, 2048, 4096 ); +$openvpn_cert_depths = array( + 1 => "One (Client+Server)", + 2 => "Two (Client+Intermediate+Server)", + 3 => "Three (Client+2xIntermediate+Server)", + 4 => "Four (Client+3xIntermediate+Server)", + 5 => "Five (Client+4xIntermediate+Server)" +); + $openvpn_server_modes = array( 'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"), 'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )"), @@ -447,6 +455,16 @@ function openvpn_reconfigure($mode, $settings) { } break; } + if (is_numeric($settings['cert_depth'])) { + $sed = ""; + $cert = lookup_cert($settings['certref']); + $servercn = cert_get_cn($cert['crt']); + $sed .= "\$server_cn = \"{$servercn}\";\\\n"; + $sed .= "\$allowed_depth = {$settings['cert_depth']};\\\n"; + mwexec("/bin/cat /etc/inc/openvpn.tls-verify.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php"); + mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php"); + $conf .= "tls-verify {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php\n"; + } // The local port to listen on $conf .= "lport {$settings['local_port']}\n"; |