diff options
-rw-r--r-- | etc/inc/openvpn.inc | 21 | ||||
-rw-r--r-- | usr/local/www/vpn_openvpn_client.php | 16 |
2 files changed, 24 insertions, 13 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 70ce84b..0591e56 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -593,10 +593,14 @@ function openvpn_reconfigure($mode, $settings) { if (!isset($settings['cert_depth']) && (strstr($settings['mode'], 'tls'))) $settings['cert_depth'] = 1; if (is_numeric($settings['cert_depth'])) { - $cert = lookup_cert($settings['certref']); - /* XXX: Seems not used at all! */ - $servercn = urlencode(cert_get_cn($cert['crt'])); - $conf .= "tls-verify \"/usr/local/sbin/ovpn_auth_verify tls '{$servercn}' {$settings['cert_depth']}\"\n"; + if (($mode == 'client') && empty($settings['certref'])) + $cert = ""; + else { + $cert = lookup_cert($settings['certref']); + /* XXX: Seems not used at all! */ + $servercn = urlencode(cert_get_cn($cert['crt'])); + $conf .= "tls-verify \"/usr/local/sbin/ovpn_auth_verify tls '{$servercn}' {$settings['cert_depth']}\"\n"; + } } // The local port to listen on @@ -723,9 +727,12 @@ function openvpn_reconfigure($mode, $settings) { case 'server_user': $ca = lookup_ca($settings['caref']); openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca"); - $cert = lookup_cert($settings['certref']); - openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); - openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); + + if (!empty($settings['certref'])) { + $cert = lookup_cert($settings['certref']); + openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); + openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); + } if ($mode == 'server') $conf .= "dh {$g['etc_path']}/dh-parameters.{$settings['dh_length']}\n"; if (!empty($settings['crlref'])) { diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index 560b3f5..5d33911 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -244,8 +244,8 @@ if ($_POST) { /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { - $reqdfields = explode(" ", "caref certref"); - $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + $reqdfields = explode(" ", "caref"); + $reqdfieldsn = array(gettext("Certificate Authority")); } elseif (!$pconfig['autokey_enable']) { /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ $reqdfields = array('shared_key'); @@ -253,7 +253,11 @@ if ($_POST) { } do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - + + if (($pconfig['mode'] != "p2p_shared_key") && empty($pconfig['certref']) && empty($pconfig['auth_user']) && empty($pconfig['auth_pass'])) { + $input_errors[] = gettext("If no Client Certificate is selected, a username and password must be entered."); + } + if (!$input_errors) { $client = array(); @@ -733,7 +737,6 @@ if ($savemsg) <tr id="tls_cert"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Client Certificate"); ?></td> <td width="78%" class="vtable"> - <?php if (count($a_cert)): ?> <select name='certref' class="formselect"> <?php foreach ($a_cert as $cert): @@ -753,9 +756,10 @@ if ($savemsg) ?> <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> + <option value="" <?PHP if (empty($pconfig['certref'])) echo "selected=\"selected\""; ?>>None (Username and Password required)</option> </select> - <?php else: ?> - <b>No Certificates defined.</b> <br />Create one under <a href="system_certmanager.php">System > Cert Manager</a>. + <?php if (!count($a_cert)): ?> + <b>No Certificates defined.</b> <br />Create one under <a href="system_certmanager.php">System > Cert Manager</a> if one is required for this connection. <?php endif; ?> </td> </tr> |