From d1a2124559eb53f832bcaa467b8adc321ffbc5f9 Mon Sep 17 00:00:00 2001
From: Nicolas Riebesel <nicolas.riebesel@gmx.com>
Date: Thu, 23 Sep 2021 01:27:03 +0200
Subject: openvpn: T3642: Add option for TLS 1.3

---
 interface-definitions/interfaces-openvpn.xml.in | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 2ecac78e2..d67549d87 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -678,7 +678,7 @@
                 <properties>
                   <help>Specify the minimum required TLS version</help>
                   <completionHelp>
-                    <list>1.0 1.1 1.2</list>
+                    <list>1.0 1.1 1.2 1.3</list>
                   </completionHelp>
                   <valueHelp>
                     <format>1.0</format>
@@ -692,8 +692,12 @@
                     <format>1.2</format>
                     <description>TLS v1.2</description>
                   </valueHelp>
+                  <valueHelp>
+                    <format>1.3</format>
+                    <description>TLS v1.3</description>
+                  </valueHelp>
                   <constraint>
-                    <regex>^(1.0|1.1|1.2)$</regex>
+                    <regex>^(1.0|1.1|1.2|1.3)$</regex>
                   </constraint>
                 </properties>
               </leafNode>
-- 
cgit v1.2.3


From 4084046987ab52f8c77b0393c1820d37a2124bbd Mon Sep 17 00:00:00 2001
From: Nicolas Riebesel <nicolas.riebesel@gmx.com>
Date: Thu, 23 Sep 2021 01:28:22 +0200
Subject: openvpn: T3642: Fix password_protected check

---
 src/conf_mode/interfaces-openvpn.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 02b7f83bf..ce62a8b82 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -134,7 +134,7 @@ def verify_pki(openvpn):
             if tls['certificate'] not in pki['certificate']:
                 raise ConfigError(f'Invalid certificate on openvpn interface {interface}')
 
-            if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected'):
+            if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected') is not None:
                 raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}')
 
             if mode == 'server' and 'dh_params' not in tls and not is_ec_private_key(pki, tls['certificate']):
-- 
cgit v1.2.3


From b4926009b15da34a0e76029447732c17e8a1431b Mon Sep 17 00:00:00 2001
From: Nicolas Riebesel <nicolas.riebesel@gmx.com>
Date: Thu, 23 Sep 2021 01:29:12 +0200
Subject: openvpn: T3642: Openvpn does not work without dh parameter in EC mode

---
 data/templates/openvpn/server.conf.tmpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 9e4cc6813..6aedc3786 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -176,6 +176,8 @@ tls-version-min {{ tls.tls_version_min }}
 {%   endif %}
 {%   if tls.dh_params is defined and tls.dh_params is not none %}
 dh /run/openvpn/{{ ifname }}_dh.pem
+{%   elif mode == 'server' and tls.private_key is defined %}
+dh none
 {%   endif %}
 {%   if tls.auth_key is defined and tls.auth_key is not none %}
 {%     if mode == 'client' %}
-- 
cgit v1.2.3