Merge pull request #133 from vindenesen/openvpn-minimum-tls-version

[OpenVPN] T1675: Added setting for minimum tls version
author: Daniil Baturin <daniil@baturin.org> 2019-09-20 23:22:44 +0700
committer: GitHub <noreply@github.com> 2019-09-20 23:22:44 +0700
commit: 62c3e0b5f2de7a1bb14b384bfb1d32687e08c4f8 (patch)
tree: aa8de725853ad3dd043448dc00a18a0b06353c4a
parent: 81617be4869483abb4a921d8c14f01794649ab57 (diff)
parent: 87500058e11f6846a5ba18dfa17ea685bcdca5ae (diff)
download: vyos-1x-62c3e0b5f2de7a1bb14b384bfb1d32687e08c4f8.tar.gz
vyos-1x-62c3e0b5f2de7a1bb14b384bfb1d32687e08c4f8.zip
2 files changed, 32 insertions, 0 deletions
diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml
index df9b4026f..fb2564cbd 100644
--- a/interface-definitions/interfaces-openvpn.xml
+++ b/interface-definitions/interfaces-openvpn.xml
@@ -590,6 +590,29 @@
                   </constraint>
                 </properties>
               </leafNode>
+              <leafNode name="tls-version-min">
+                <properties>
+                  <help>Specify the minimum required TLS version</help>
+                  <completionHelp>
+                    <list>1.0 1.1 1.2</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>1.0</format>
+                    <description>TLS v1.0</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>1.1</format>
+                    <description>TLS v1.1</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>1.2</format>
+                    <description>TLS v1.2</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(1.0|1.1|1.2)</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
               <leafNode name="role">
                 <properties>
                   <help>File containing this host's private key</help>
diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py
index 7b3e57d7d..35e7928c2 100755
--- a/src/conf_mode/interface-openvpn.py
+++ b/src/conf_mode/interface-openvpn.py
@@ -167,6 +167,10 @@ key {{ tls_key }}
 crl-verify {{ tls_crl }}
 {% endif %}
 
+{%- if tls_version_min %}
+tls-version-min {{tls_version_min}}
+{% endif %}
+
 {%- if tls_dh %}
 dh {{ tls_dh }}
 {% endif %}
@@ -288,6 +292,7 @@ default_config_data = {
     'tls_dh': '',
     'tls_key': '',
     'tls_role': '',
+    'tls_version_min': '',
     'type': 'tun',
     'uid': user,
     'gid': group,
@@ -572,6 +577,10 @@ def get_config():
          openvpn['tls_role'] = conf.return_value('tls role')
          openvpn['tls'] = True
 
+    # Minimum required TLS version
+    if conf.exists('tls tls-version-min'):
+         openvpn['tls_version_min'] = conf.return_value('tls tls-version-min')
+    
     if conf.exists('shared-secret-key-file'):
         openvpn['shared_secret_file'] = conf.return_value('shared-secret-key-file')
author	Daniil Baturin <daniil@baturin.org>	2019-09-20 23:22:44 +0700
committer	GitHub <noreply@github.com>	2019-09-20 23:22:44 +0700
commit	62c3e0b5f2de7a1bb14b384bfb1d32687e08c4f8 (patch)
tree	aa8de725853ad3dd043448dc00a18a0b06353c4a
parent	81617be4869483abb4a921d8c14f01794649ab57 (diff)
parent	87500058e11f6846a5ba18dfa17ea685bcdca5ae (diff)
download	vyos-1x-62c3e0b5f2de7a1bb14b384bfb1d32687e08c4f8.tar.gz vyos-1x-62c3e0b5f2de7a1bb14b384bfb1d32687e08c4f8.zip