From 29d06ea57694cd1dc9ee59f395edb6436e04eec8 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Tue, 22 Nov 2011 13:50:12 -0500
Subject: If we can determine that the server cert has nsCertType=server, then
 add ns-cert-type server to the client config.

---
 config/openvpn-client-export/openvpn-client-export.inc | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'config')

diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc
index a69826ba..234d7326 100755
--- a/config/openvpn-client-export/openvpn-client-export.inc
+++ b/config/openvpn-client-export/openvpn-client-export.inc
@@ -230,6 +230,15 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
 	// - Disable for now, it requires the server cert to include special options
 	//$conf .= "remote-cert-tls server{$nl}";
 
+	// Extra protection for the server cert, if it's supported
+	if (function_exists("cert_get_purpose")) {
+		if (is_array($server_cert) && ($server_cert['crt'])) {
+			$purpose = cert_get_purpose($server_cert['crt'], true);
+			if ($purpose['server'] == 'Yes')
+				$conf .= "ns-cert-type server";
+		}
+	}
+
 	// add optional settings
 	if ($settings['compression'])
 		$conf .= "comp-lzo{$nl}";
-- 
cgit v1.2.3