From 1a533cc04b825769bf2c8a83f574894132fe9ba4 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 13 Nov 2013 16:13:31 -0500 Subject: Bring back tls-remote as a non-default option for those stuck on older clients. Also give the user the option to disable server cert CN verification. Implements #3318 --- .../openvpn-client-export.inc | 28 +++++++++++++++------- .../openvpn-client-export.xml | 2 +- pkg_config.8.xml | 2 +- pkg_config.8.xml.amd64 | 2 +- 4 files changed, 23 insertions(+), 11 deletions(-) diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index de27b907..e6351686 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -170,7 +170,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys); } -function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { +function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { global $config, $input_errors, $g; $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); @@ -211,9 +211,21 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese $conf .= "$remotes{$nl}"; /* This line can cause problems with auth-only setups and also with Yealink/Snom phones since they are stuck on an older OpenVPN version that does not support this feature. */ - if (!empty($servercn) && !$nokeys && (substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) { - $qw = ($quoteservercn) ? "\"" : ""; - $conf .= "verify-x509-name {$qw}{$servercn}{$qw} name{$nl}"; + if (!empty($servercn) && !$nokeys) { + switch ($verifyservercn) { + case "none": + break; + case "tls-remote": + $conf .= "tls-remote {$servercn}{$nl}"; + break; + case "tls-remote-quote": + $conf .= "tls-remote \"{$servercn}\"{$nl}"; + break; + default: + if ((substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) { + $conf .= "verify-x509-name \"{$servercn}\" name{$nl}"; + } + } } if (!empty($proxy)) { @@ -459,7 +471,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } } -function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { +function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { global $config, $g, $input_errors; $uname_p = trim(exec("uname -p")); @@ -511,7 +523,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $pwdfle .= "{$proxy['password']}\r\n"; file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); if (!$conf) { $input_errors[] = "Could not create a config to export."; return false; @@ -576,7 +588,7 @@ RunProgram="openvpn-postinstall.exe" return $outfile; } -function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { +function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { global $config, $g; $uname_p = trim(exec("uname -p")); @@ -611,7 +623,7 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead file_put_contents("{$tempdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); if (!$conf) return false; diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index 04ffcec7..fa5ce6cf 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ OpenVPN Client Export - 1.2 + 1.2.1 OpenVPN Client Export /usr/local/pkg/openvpn-client-export.inc diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 517462bb..4d5015f1 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -1463,7 +1463,7 @@ zip-3.0-i386.pbi p7zip-9.20.1-i386.pbi /usr/ports/archivers/p7zip /usr/ports/archivers/zip - 1.2 + 1.2.1 RELEASE 2.0 http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 44f72f8d..cfb81e59 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -1450,7 +1450,7 @@ p7zip-9.20.1-amd64.pbi zip-3.0-amd64.pbi /usr/ports/archivers/p7zip /usr/ports/archivers/zip - 1.2 + 1.2.1 RELEASE 2.0 http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml -- cgit v1.2.3