From cf82c4092bba75065239b6555d85f89efd2b94f7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 13 Jun 2018 18:39:24 +0200
Subject: [PATCH] drop nsCertType lookup in cert_get_purpose() and replace with
 check for "TLS Web Client Authentication" on extendedKeyUsage, for
 https://github.com/opnsense/core/issues/2459

---
 src/etc/inc/certs.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index 1748eb588..d3fd381c3 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -414,7 +414,7 @@ function cert_get_purpose($str_crt, $decode = true)
     $crt_details = openssl_x509_parse($str_crt);
     $purpose = array();
     $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes';
-    if (isset($crt_details['extensions']['nsCertType']) && $crt_details['extensions']['nsCertType'] == "SSL Server") {
+    if (isset($crt_details['extensions']['extendedKeyUsage']) && strstr($crt_details['extensions']['extendedKeyUsage'], "TLS Web Client Authentication") !== false) {
         $purpose['server'] = 'Yes';
     } else {
         $purpose['server'] = 'No';