summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-08-10 06:50:23 +0200
committerGitHub <noreply@github.com>2023-08-10 06:50:23 +0200
commit7a43a92057f7b777b472318d4ebb8fa9d02215ab (patch)
treedefae52bce201a6245b879c34139f99dab63778c
parentdaf8f26f0d7cd67ad015e280ce297bc794800a7f (diff)
parentfa2518576638532aa3b23d4d72d77abc0c3f21d3 (diff)
downloadvyos-1x-7a43a92057f7b777b472318d4ebb8fa9d02215ab.tar.gz
vyos-1x-7a43a92057f7b777b472318d4ebb8fa9d02215ab.zip
Merge pull request #2144 from dmbaturin/T5271-openvpn-peer-fingerprint
openvpn: T5271: add peer certificate fingerprint option
-rw-r--r--data/templates/openvpn/server.conf.j28
-rw-r--r--interface-definitions/interfaces-openvpn.xml.in10
2 files changed, 18 insertions, 0 deletions
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index d144529f3..a9bd45370 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -200,6 +200,14 @@ tls-client
{% elif tls.role is vyos_defined('passive') %}
tls-server
{% endif %}
+
+{% if peer_fingerprint is vyos_defined %}
+<peer-fingerprint>
+{% for fp in peer_fingerprint %}
+{{ fp }}
+{% endfor %}
+</peer-fingerprint>
+{% endif %}
{% endif %}
# Encryption options
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 127a8179b..831659250 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -752,6 +752,16 @@
</completionHelp>
</properties>
</leafNode>
+ <leafNode name="peer-fingerprint">
+ <properties>
+ <multi/>
+ <help>Peer certificate SHA256 fingerprint</help>
+ <constraint>
+ <regex>[0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2}</regex>
+ </constraint>
+ <constraintErrorMessage>Peer certificate fingerprint must be a colon-separated SHA256 hex digest</constraintErrorMessage>
+ </properties>
+ </leafNode>
<leafNode name="tls-version-min">
<properties>
<help>Specify the minimum required TLS version</help>