From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 11 Apr 2024 19:42:16 +0000 (+0200)
Subject: ovpnmain.cgi: Remove ns-cert-type server
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b6aad690700d9a9531537c7e1da32bb38a715fd;p=people%2Fms%2Fipfire-2.x.git

ovpnmain.cgi: Remove ns-cert-type server

This option has been removed in OpenVPN 2.5. We do not support anything
prior to that.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index cabae236c..c7c5e11f5 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2377,12 +2377,8 @@ END
 		# Configure the MTU of the tunnel interface
 		print "tun-mtu $vpnsettings{'DMTU'}\n";
 
-		# Check host certificate if X509 is RFC3280 compliant.
-		# If not, old --ns-cert-type directive will be used.
-		# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
-		unless (&is_cert_rfc3280_compliant("${General::swroot}/ovpn/certs/servercert.pem")) {
-			print "ns-cert-type server\n";
-		} else {
+		# Ask the client to verify the server certificate
+		if (&is_cert_rfc3280_compliant("${General::swroot}/ovpn/certs/servercert.pem")) {
 			print "remote-cert-tls server\n";
 		}
 		print "verify-x509-name $vpnsettings{'ROOTCERT_HOSTNAME'} name\n";