From 66fdf41ed5c0edba1201ec1a47aa994aaa408c01 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 11 Apr 2024 21:42:16 +0200
Subject: [PATCH] ovpnmain.cgi: Remove ns-cert-type server

This option has been removed in OpenVPN 2.5. We do not support anything
prior to that.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 64c6ab850..8def0b6e5 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2377,12 +2377,8 @@ END
 		# Configure the MTU of the tunnel interface
 		print "tun-mtu $vpnsettings{'DMTU'}\n";
 
-		# Check host certificate if X509 is RFC3280 compliant.
-		# If not, old --ns-cert-type directive will be used.
-		# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
-		unless (&is_cert_rfc3280_compliant("${General::swroot}/ovpn/certs/servercert.pem")) {
-			print "ns-cert-type server\n";
-		} else {
+		# Ask the client to verify the server certificate
+		if (&is_cert_rfc3280_compliant("${General::swroot}/ovpn/certs/servercert.pem")) {
 			print "remote-cert-tls server\n";
 		}
 		print "verify-x509-name $vpnsettings{'ROOTCERT_HOSTNAME'} name\n";
-- 
2.39.5