diff options
author | jim-p <jimp@pfsense.org> | 2011-07-06 14:52:46 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-07-06 14:56:29 -0400 |
commit | e366b753b24d8cadbe15bc6778e46c3159dc9983 (patch) | |
tree | c904a51cfbb8994359efa875ff7236495c265e33 | |
parent | a7d0973d31804aed3435ba5a9627eda6737f4d8e (diff) | |
download | pfsense-packages-e366b753b24d8cadbe15bc6778e46c3159dc9983.tar.gz pfsense-packages-e366b753b24d8cadbe15bc6778e46c3159dc9983.tar.bz2 pfsense-packages-e366b753b24d8cadbe15bc6778e46c3159dc9983.zip |
Force the connecting openvpn client to verify that the server's cn matches what is expected, to prevent MITM attacks. Fixes #1587
-rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.inc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 04028139..ae8494b6 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -116,6 +116,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke $input_errors[] = "Could not locate certificate."; return false; } + if (function_exists("cert_get_cn")) { + $servercn = cert_get_cn($server_cert['crt']); + } // lookup user info if (is_numeric($usrid)) { @@ -175,6 +178,8 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke $conf .= "client\n"; $conf .= "resolv-retry infinite\n"; $conf .= "remote {$server_host} {$server_port}\n"; + if (!empty($servercn)) + $conf .= "tls-remote {$servercn}\n"; if (!empty($proxy)) { if ($proto == "udp") { |