diff options
| author | jim-p <jimp@pfsense.org> | 2013-11-13 16:13:31 -0500 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-11-13 16:18:10 -0500 |
| commit | 1a533cc04b825769bf2c8a83f574894132fe9ba4 (patch) | |
| tree | 0e9b1231d205516ed72f2f56108f5d2cde551b68 /config/openvpn-client-export | |
| parent | 55919f19b994f401e3273a5ed1d4975fd6d03634 (diff) | |
| download | pfsense-packages-1a533cc04b825769bf2c8a83f574894132fe9ba4.tar.gz pfsense-packages-1a533cc04b825769bf2c8a83f574894132fe9ba4.tar.bz2 pfsense-packages-1a533cc04b825769bf2c8a83f574894132fe9ba4.zip | |
Bring back tls-remote as a non-default option for those stuck on older clients. Also give the user the option to disable server cert CN verification. Implements #3318
Diffstat (limited to 'config/openvpn-client-export')
| -rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.inc | 28 | ||||
| -rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.xml | 2 |
2 files changed, 21 insertions, 9 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index de27b907..e6351686 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -170,7 +170,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys); } -function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { +function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { global $config, $input_errors, $g; $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); @@ -211,9 +211,21 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese $conf .= "$remotes{$nl}"; /* This line can cause problems with auth-only setups and also with Yealink/Snom phones since they are stuck on an older OpenVPN version that does not support this feature. */ - if (!empty($servercn) && !$nokeys && (substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) { - $qw = ($quoteservercn) ? "\"" : ""; - $conf .= "verify-x509-name {$qw}{$servercn}{$qw} name{$nl}"; + if (!empty($servercn) && !$nokeys) { + switch ($verifyservercn) { + case "none": + break; + case "tls-remote": + $conf .= "tls-remote {$servercn}{$nl}"; + break; + case "tls-remote-quote": + $conf .= "tls-remote \"{$servercn}\"{$nl}"; + break; + default: + if ((substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) { + $conf .= "verify-x509-name \"{$servercn}\" name{$nl}"; + } + } } if (!empty($proxy)) { @@ -459,7 +471,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } } -function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { +function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { global $config, $g, $input_errors; $uname_p = trim(exec("uname -p")); @@ -511,7 +523,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $pwdfle .= "{$proxy['password']}\r\n"; file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); if (!$conf) { $input_errors[] = "Could not create a config to export."; return false; @@ -576,7 +588,7 @@ RunProgram="openvpn-postinstall.exe" return $outfile; } -function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { +function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { global $config, $g; $uname_p = trim(exec("uname -p")); @@ -611,7 +623,7 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead file_put_contents("{$tempdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); if (!$conf) return false; diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index 04ffcec7..fa5ce6cf 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>1.2</version> + <version>1.2.1</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> |