Merge pull request #2144 from dmbaturin/T5271-openvpn-peer-fingerprint

openvpn: T5271: add peer certificate fingerprint option

2 files changed, 18 insertions, 0 deletions

diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index d144529f3..a9bd45370 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -200,6 +200,14 @@ tls-client
 {%     elif tls.role is vyos_defined('passive') %}
 tls-server
 {%     endif %}
+
+{%     if peer_fingerprint is vyos_defined %}
+<peer-fingerprint>
+{%         for fp in peer_fingerprint %}
+{{ fp }}
+{%         endfor %}
+</peer-fingerprint>
+{%     endif %}
 {% endif %}
 
 # Encryption options
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 127a8179b..831659250 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -752,6 +752,16 @@
                   </completionHelp>
                 </properties>
               </leafNode>
+              <leafNode name="peer-fingerprint">
+                <properties>
+                  <multi/>
+                  <help>Peer certificate SHA256 fingerprint</help>
+                  <constraint>
+                    <regex>[0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2}</regex>
+                  </constraint>
+                  <constraintErrorMessage>Peer certificate fingerprint must be a colon-separated SHA256 hex digest</constraintErrorMessage>
+                </properties>
+              </leafNode>
               <leafNode name="tls-version-min">
                 <properties>
                   <help>Specify the minimum required TLS version</help>