- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration,
so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type'
if the host certificate are newely generated with this options.
Nevertheless both directives (old and new) will work also with old CAs.
- Automatic detection if the host certificate uses the new options.
If it does, '--remote-cert-tls server' will be automatically set into the client
configuration files for Net-to-Net and Roadwarriors connections.
If it does NOT, the old '--ns-cert-type server' directive will be set in the client
configuration file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = clientAuth
+keyUsage = digitalSignature
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
basicConstraints = CA:FALSE
[ v3_req ]
basicConstraints = CA:FALSE
-
- print CLIENTCONF "ns-cert-type server\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
+ }
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
- print CLIENTCONF "ns-cert-type server\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
+ }
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "comp-lzo\r\n";
}
print CLIENTCONF "verb 3\r\n";
print CLIENTCONF "comp-lzo\r\n";
}
print CLIENTCONF "verb 3\r\n";
- print CLIENTCONF "ns-cert-type server\r\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\r\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\r\n";
+ }
print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";
print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";