lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-17 10:04:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

OpenVPN export (https://github.com/opnsense/core/issues/2787)

Browse Source 
- change server cn validation to server subject
- move "use random port" to custom option
- tgb format issue with SHA1
This commit is contained in:
Ad Schellevis 2018-12-10 15:16:32 +01:00
parent e494ebd94e
commit 7fa92079cb
7 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php
View File

@ -332,6 +332,7 @@ class ExportController extends ApiControllerBase
// fetch associated certificate data, add to config
$config['server_ca_chain'] = array();
$config['server_cn'] = null;
$config['server_subject_name'] = null;
$config['server_cert_is_srv'] = null;
if (!empty($server->certref)) {
if (isset(Config::getInstance()->object()->cert)) {
@ -346,6 +347,7 @@ class ExportController extends ApiControllerBase
$str_crt = base64_decode((string)$cert->crt);
$inf_crt = openssl_x509_parse($str_crt);
$config['server_cn'] = $inf_crt['subject']['CN'];
$config['server_subject_name'] = $inf_crt['name'];
// Is server type cert
$config['server_cert_is_srv'] = (
isset($inf_crt['extensions']['extendedKeyUsage']) &&

5
src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
View File

@ -28,6 +28,7 @@
<field>
<id>openvpn_export.random_local_port</id>
<label>Use random local port</label>
<style>export_option</style>
<type>checkbox</type>
<help>Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently.</help>
</field>
@ -40,9 +41,9 @@
</field>
<field>
<id>openvpn_export.validate_server_cn</id>
<label>Validate server CN</label>
<label>Validate server subject</label>
<type>checkbox</type>
<help>Verify the server certificate Common Name (CN) when the client connects</help>
<help>Verify the server certificate name when the client connects</help>
</field>
<field>
<id>openvpn_export.plain_config</id>

2
src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
View File

@ -48,7 +48,7 @@ class ArchiveOpenVPN extends PlainOpenVPN
*/
public function supportedOptions()
{
return array("plain_config", "p12_password");
return array("plain_config", "p12_password", "random_local_port");
}
/**

6
src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
View File

@ -48,7 +48,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
*/
public function supportedOptions()
{
return array("plain_config");
return array("plain_config", "random_local_port");
}
/**
@ -117,9 +117,9 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
$conf[] = "lport 0";
}
if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_cn'])
if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_subject_name'])
&& !empty($this->config['validate_server_cn'])) {
$conf[] = "verify-x509-name \"{$this->config['server_cn']}\" name";
$conf[] = "verify-x509-name \"{$this->config['server_subject_name']}\" subject";
if (!empty($this->config['server_cert_is_srv'])) {
$conf[] = "remote-cert-tls server";
}

12
src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php
View File

@ -124,8 +124,8 @@ class TheGreenBow extends BaseExporter implements IExportProvider
if (!empty($this->config['digest'])) {
if (strpos($this->config['digest'], "SHA1") !== false) {
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "MD5";
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "128";
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "SHA1";
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "160";
} elseif ($this->config['digest'] == "SHA256") {
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "SHA2";
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "256";
@ -135,6 +135,9 @@ class TheGreenBow extends BaseExporter implements IExportProvider
} elseif ($this->config['digest'] == "SHA512") {
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "SHA2";
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "SHA512";
} else {
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "MD5";
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "128";
}
}
if (!empty($this->config['compression'])) {
@ -143,6 +146,11 @@ class TheGreenBow extends BaseExporter implements IExportProvider
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Compression = 'no';
}
if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_subject_name'])
&& !empty($this->config['validate_server_cn'])) {
$output->cfg_ssl->cfg_sslconnection->cfg_tunnelestablish->GatewayName = $this->config['server_subject_name'];
}
$output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->RenegSeconds = $this->config['reneg-sec'];
if (!empty($this->config['tls'])) {
$tls = array("\n-----BEGIN Static key-----");

2
src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
View File

@ -48,7 +48,7 @@ class ViscosityVisz extends PlainOpenVPN
*/
public function supportedOptions()
{
return array("plain_config", "p12_password");
return array("plain_config", "p12_password", "random_local_port");
}
/**

1
src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt
View File

@ -65,6 +65,7 @@
$("#openvpn_export\\.template").append(this_opt);
});
$("#openvpn_export\\.servers").change();
$("#openvpn_export\\.template").change();
$("#openvpn_export\\.template").selectpicker('refresh');
}
});