From e366b753b24d8cadbe15bc6778e46c3159dc9983 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 6 Jul 2011 14:52:46 -0400 Subject: Force the connecting openvpn client to verify that the server's cn matches what is expected, to prevent MITM attacks. Fixes #1587 --- config/openvpn-client-export/openvpn-client-export.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 04028139..ae8494b6 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -116,6 +116,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke $input_errors[] = "Could not locate certificate."; return false; } + if (function_exists("cert_get_cn")) { + $servercn = cert_get_cn($server_cert['crt']); + } // lookup user info if (is_numeric($usrid)) { @@ -175,6 +178,8 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke $conf .= "client\n"; $conf .= "resolv-retry infinite\n"; $conf .= "remote {$server_host} {$server_port}\n"; + if (!empty($servercn)) + $conf .= "tls-remote {$servercn}\n"; if (!empty($proxy)) { if ($proto == "udp") { -- cgit v1.2.3