aboutsummaryrefslogtreecommitdiffstats
path: root/config/openvpn-client-export
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2011-11-22 13:50:12 -0500
committerjim-p <jimp@pfsense.org>2011-11-22 13:50:12 -0500
commit29d06ea57694cd1dc9ee59f395edb6436e04eec8 (patch)
tree634ce691d9cb920f9b8a3af673ba79c9c6206254 /config/openvpn-client-export
parenta47f428c201a32f85e4c4bde640f825e681702a3 (diff)
downloadpfsense-packages-29d06ea57694cd1dc9ee59f395edb6436e04eec8.tar.gz
pfsense-packages-29d06ea57694cd1dc9ee59f395edb6436e04eec8.tar.bz2
pfsense-packages-29d06ea57694cd1dc9ee59f395edb6436e04eec8.zip
If we can determine that the server cert has nsCertType=server, then add ns-cert-type server to the client config.
Diffstat (limited to 'config/openvpn-client-export')
-rwxr-xr-xconfig/openvpn-client-export/openvpn-client-export.inc9
1 files changed, 9 insertions, 0 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc
index a69826ba..234d7326 100755
--- a/config/openvpn-client-export/openvpn-client-export.inc
+++ b/config/openvpn-client-export/openvpn-client-export.inc
@@ -230,6 +230,15 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
// - Disable for now, it requires the server cert to include special options
//$conf .= "remote-cert-tls server{$nl}";
+ // Extra protection for the server cert, if it's supported
+ if (function_exists("cert_get_purpose")) {
+ if (is_array($server_cert) && ($server_cert['crt'])) {
+ $purpose = cert_get_purpose($server_cert['crt'], true);
+ if ($purpose['server'] == 'Yes')
+ $conf .= "ns-cert-type server";
+ }
+ }
+
// add optional settings
if ($settings['compression'])
$conf .= "comp-lzo{$nl}";