+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+ # Warning if DH parameter is 1024 bit
+ if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+ my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+ my @dhbit = ($dhparameter =~ /(\d+)/);
+ if ($1 < 2048) {
+ $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+ goto CRYPTO_ERROR;
+ }
+ }
+
+ # Warning if md5 is in usage
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($signature =~ /md5WithRSAEncryption/) {
+ $cryptoerror = "$Lang::tr{'ovpn error md5'}";
+ goto CRYPTO_ERROR;
+ }
+ }
+
+ CRYPTO_ERROR:
+
+ # Warning if certificate is not compliant to RFC3280 TLS rules
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+
+ CRYPTO_WARNING:
+}
+