diff options
author | jim-p <jimp@pfsense.org> | 2011-10-10 17:18:22 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-10-27 10:28:01 -0400 |
commit | 98963f2771f4ee7ac6c278a1b80f5c5e7ebfaa7d (patch) | |
tree | 35dc3a7fff9b3dce2f640519a8898b810495e573 /usr/local/www | |
parent | 87b4deb2b2dae9013e6aa0fe490d6a5a04a27894 (diff) | |
download | pfsense-98963f2771f4ee7ac6c278a1b80f5c5e7ebfaa7d.zip pfsense-98963f2771f4ee7ac6c278a1b80f5c5e7ebfaa7d.tar.gz |
Add GUI option to limit the certificate depth allowed when OpenVPN clients are connecting.
Diffstat (limited to 'usr/local/www')
-rw-r--r-- | usr/local/www/vpn_openvpn_server.php | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 0a50446..b70bbf3 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -123,6 +123,7 @@ if($_GET['act']=="edit"){ $pconfig['crlref'] = $a_server[$id]['crlref']; $pconfig['certref'] = $a_server[$id]['certref']; $pconfig['dh_length'] = $a_server[$id]['dh_length']; + $pconfig['cert_depth'] = $a_server[$id]['cert_depth']; if ($pconfig['mode'] == "server_tls_user") $pconfig['strictusercn'] = $a_server[$id]['strictusercn']; } else @@ -317,6 +318,7 @@ if ($_POST) { $server['crlref'] = $pconfig['crlref']; $server['certref'] = $pconfig['certref']; $server['dh_length'] = $pconfig['dh_length']; + $server['cert_depth'] = $pconfig['cert_depth']; if ($pconfig['mode'] == "server_tls_user") $server['strictusercn'] = $pconfig['strictusercn']; } else { @@ -408,6 +410,7 @@ function mode_change() { document.getElementById("tls_crl").style.display=""; document.getElementById("tls_cert").style.display=""; document.getElementById("tls_dh").style.display=""; + document.getElementById("cert_depth").style.display=""; document.getElementById("strictusercn").style.display="none"; document.getElementById("psk").style.display="none"; break; @@ -417,6 +420,7 @@ function mode_change() { document.getElementById("tls_crl").style.display=""; document.getElementById("tls_cert").style.display=""; document.getElementById("tls_dh").style.display=""; + document.getElementById("cert_depth").style.display=""; document.getElementById("strictusercn").style.display=""; document.getElementById("psk").style.display="none"; break; @@ -426,6 +430,7 @@ function mode_change() { document.getElementById("tls_crl").style.display="none"; document.getElementById("tls_cert").style.display="none"; document.getElementById("tls_dh").style.display="none"; + document.getElementById("cert_depth").style.display="none"; document.getElementById("strictusercn").style.display="none"; document.getElementById("psk").style.display=""; break; @@ -921,6 +926,31 @@ if ($savemsg) </select> </td> </tr> + <tr id="cert_depth"> + <td width="22%" valign="top" class="vncell"><?=gettext("Certificate Depth"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr><td> + <select name="cert_depth" class="formselect"> + <option value="">Do Not Check</option> + <?php + foreach ($openvpn_cert_depths as $depth => $depthdesc): + $selected = ''; + if ($depth == $pconfig['cert_depth']) + $selected = ' selected'; + ?> + <option value="<?= $depth ?>" <?= $selected ?>><?= $depthdesc ?></option> + <?php endforeach; ?> + </select> + </td></tr> + <tr><td> + <span class="vexpl"> + <?=gettext("When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server."); ?> + </span> + </td></tr> + </table> + </td> + </tr> <tr id="strictusercn"> <td width="22%" valign="top" class="vncell"><?=gettext("Strict User/CN Matching"); ?></td> <td width="78%" class="vtable"> |