aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2011-07-06 14:52:46 -0400
committerjim-p <jimp@pfsense.org>2011-07-06 14:56:29 -0400
commite366b753b24d8cadbe15bc6778e46c3159dc9983 (patch)
treec904a51cfbb8994359efa875ff7236495c265e33
parenta7d0973d31804aed3435ba5a9627eda6737f4d8e (diff)
downloadpfsense-packages-e366b753b24d8cadbe15bc6778e46c3159dc9983.tar.gz
pfsense-packages-e366b753b24d8cadbe15bc6778e46c3159dc9983.tar.bz2
pfsense-packages-e366b753b24d8cadbe15bc6778e46c3159dc9983.zip
Force the connecting openvpn client to verify that the server's cn matches what is expected, to prevent MITM attacks. Fixes #1587
-rwxr-xr-xconfig/openvpn-client-export/openvpn-client-export.inc5
1 files changed, 5 insertions, 0 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc
index 04028139..ae8494b6 100755
--- a/config/openvpn-client-export/openvpn-client-export.inc
+++ b/config/openvpn-client-export/openvpn-client-export.inc
@@ -116,6 +116,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
$input_errors[] = "Could not locate certificate.";
return false;
}
+ if (function_exists("cert_get_cn")) {
+ $servercn = cert_get_cn($server_cert['crt']);
+ }
// lookup user info
if (is_numeric($usrid)) {
@@ -175,6 +178,8 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
$conf .= "client\n";
$conf .= "resolv-retry infinite\n";
$conf .= "remote {$server_host} {$server_port}\n";
+ if (!empty($servercn))
+ $conf .= "tls-remote {$servercn}\n";
if (!empty($proxy)) {
if ($proto == "udp") {