From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Thu, 5 Feb 2026 18:51:34 +0000 (+0100)
Subject: ovpnmain.cgi: Re-implement iscertlegacy function
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=818ab000e130d5bfe7df246a1fa0679557cd6ba1;p=ipfire-2.x.git

ovpnmain.cgi: Re-implement iscertlegacy function

Re-implement the iscertlegacy function to proper detect any kind
of legacy certificate by using the openssl legacy switch.

Fixes #13936

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index e53bd6e28..b435d9e1b 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -143,12 +143,32 @@ my $col="";
 sub iscertlegacy
 {
 	my $file=$_[0];
-	my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
-	"-in", "$file.p12", "-noout", "-passin", "pass:''");
-	if (index ($certinfo[0], "MAC: sha1") != -1) {
-		return 1;
-	}
-	return 0;
+	my @openssl_cmd = ("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
+	"-in", "$file.p12", "-noout", "-passin", "pass:");
+	my $ret;
+
+	# Execute the openssl command.
+	$ret = &General::safe_system(@openssl_cmd);
+
+	# Early exit if the openssl return code is zero and we do not have a
+	# lecacy certificate.
+	return 0 if ($ret eq "0");
+
+	# In case we got an return code of one, retry with enabled legacy option.
+	#
+	# Add option to enable legacy ciphers to the openssl command.
+	push(@openssl_cmd, "-legacy");
+
+	# Re-execute the openssl command with legacy option.
+	$ret = &General::safe_system(@openssl_cmd);
+
+	# Exit and return 1 if the return code of the openssl command is zero
+	# with enabled legay option, which indicates a legacy certificate.
+	return 1 if ($ret eq "0");
+
+	# If we got here, the openssl command was not able to detect
+	# which kind of certificate is used.
+	return undef;
 }
 
 sub is_cert_rfc3280_compliant($) {