From e366b753b24d8cadbe15bc6778e46c3159dc9983 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Wed, 6 Jul 2011 14:52:46 -0400
Subject: Force the connecting openvpn client to verify that the server's cn
 matches what is expected, to prevent MITM attacks. Fixes #1587

---
 config/openvpn-client-export/openvpn-client-export.inc | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'config/openvpn-client-export/openvpn-client-export.inc')

diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc
index 04028139..ae8494b6 100755
--- a/config/openvpn-client-export/openvpn-client-export.inc
+++ b/config/openvpn-client-export/openvpn-client-export.inc
@@ -116,6 +116,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
 		$input_errors[] = "Could not locate certificate.";
 		return false;
 	}
+	if (function_exists("cert_get_cn")) {
+		$servercn = cert_get_cn($server_cert['crt']);
+	}
 
 	// lookup user info
 	if (is_numeric($usrid)) {
@@ -175,6 +178,8 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
 	$conf .= "client\n";
 	$conf .= "resolv-retry infinite\n";
 	$conf .= "remote {$server_host} {$server_port}\n";
+	if (!empty($servercn))
+		$conf .= "tls-remote {$servercn}\n";
 
 	if (!empty($proxy)) {
 		if ($proto == "udp") {
-- 
cgit v1.2.3