From 98963f2771f4ee7ac6c278a1b80f5c5e7ebfaa7d Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Mon, 10 Oct 2011 17:18:22 -0400
Subject: Add GUI option to limit the certificate depth allowed when OpenVPN
 clients are connecting.

---
 usr/local/www/vpn_openvpn_server.php | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'usr/local/www/vpn_openvpn_server.php')

diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php
index 0a50446..b70bbf3 100644
--- a/usr/local/www/vpn_openvpn_server.php
+++ b/usr/local/www/vpn_openvpn_server.php
@@ -123,6 +123,7 @@ if($_GET['act']=="edit"){
 			$pconfig['crlref'] = $a_server[$id]['crlref'];
 			$pconfig['certref'] = $a_server[$id]['certref'];
 			$pconfig['dh_length'] = $a_server[$id]['dh_length'];
+			$pconfig['cert_depth'] = $a_server[$id]['cert_depth'];
 			if ($pconfig['mode'] == "server_tls_user")
 				$pconfig['strictusercn'] = $a_server[$id]['strictusercn'];
 		} else
@@ -317,6 +318,7 @@ if ($_POST) {
 			$server['crlref'] = $pconfig['crlref'];
 			$server['certref'] = $pconfig['certref'];
 			$server['dh_length'] = $pconfig['dh_length'];
+			$server['cert_depth'] = $pconfig['cert_depth'];
 			if ($pconfig['mode'] == "server_tls_user")
 				$server['strictusercn'] = $pconfig['strictusercn'];
 		} else {
@@ -408,6 +410,7 @@ function mode_change() {
 			document.getElementById("tls_crl").style.display="";
 			document.getElementById("tls_cert").style.display="";
 			document.getElementById("tls_dh").style.display="";
+			document.getElementById("cert_depth").style.display="";
 			document.getElementById("strictusercn").style.display="none";
 			document.getElementById("psk").style.display="none";
 			break;
@@ -417,6 +420,7 @@ function mode_change() {
 			document.getElementById("tls_crl").style.display="";
 			document.getElementById("tls_cert").style.display="";
 			document.getElementById("tls_dh").style.display="";
+			document.getElementById("cert_depth").style.display="";
 			document.getElementById("strictusercn").style.display="";
 			document.getElementById("psk").style.display="none";
 			break;
@@ -426,6 +430,7 @@ function mode_change() {
 			document.getElementById("tls_crl").style.display="none";
 			document.getElementById("tls_cert").style.display="none";
 			document.getElementById("tls_dh").style.display="none";
+			document.getElementById("cert_depth").style.display="none";
 			document.getElementById("strictusercn").style.display="none";
 			document.getElementById("psk").style.display="";
 			break;
@@ -921,6 +926,31 @@ if ($savemsg)
 							</select>
 						</td>
 					</tr>
+					<tr id="cert_depth">
+						<td width="22%" valign="top" class="vncell"><?=gettext("Certificate Depth"); ?></td>
+						<td width="78%" class="vtable">
+							<table border="0" cellpadding="2" cellspacing="0">
+							<tr><td>
+							<select name="cert_depth" class="formselect">
+								<option value="">Do Not Check</option>
+								<?php
+									foreach ($openvpn_cert_depths as $depth => $depthdesc):
+									$selected = '';
+									if ($depth == $pconfig['cert_depth'])
+										$selected = ' selected';
+								?>
+								<option value="<?= $depth ?>" <?= $selected ?>><?= $depthdesc ?></option>
+								<?php endforeach; ?>
+							</select>
+							</td></tr>
+							<tr><td>
+							<span class="vexpl">
+								<?=gettext("When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server."); ?>
+							</span>
+							</td></tr>
+							</table>
+						</td>
+					</tr>
 					<tr id="strictusercn">
 						<td width="22%" valign="top" class="vncell"><?=gettext("Strict User/CN Matching"); ?></td>
 						<td width="78%" class="vtable">
-- 
cgit v1.1