+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\r\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\r\n";
+ }