From 29d06ea57694cd1dc9ee59f395edb6436e04eec8 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 22 Nov 2011 13:50:12 -0500 Subject: If we can determine that the server cert has nsCertType=server, then add ns-cert-type server to the client config. --- config/openvpn-client-export/openvpn-client-export.inc | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'config') diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index a69826ba..234d7326 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -230,6 +230,15 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke // - Disable for now, it requires the server cert to include special options //$conf .= "remote-cert-tls server{$nl}"; + // Extra protection for the server cert, if it's supported + if (function_exists("cert_get_purpose")) { + if (is_array($server_cert) && ($server_cert['crt'])) { + $purpose = cert_get_purpose($server_cert['crt'], true); + if ($purpose['server'] == 'Yes') + $conf .= "ns-cert-type server"; + } + } + // add optional settings if ($settings['compression']) $conf .= "comp-lzo{$nl}"; -- cgit v1.2.3