T5271: allow the user to specify either CA or peer fingerprint

in OpenVPN site-to-site mode
author: Daniil Baturin <daniil@baturin.org> 2023-08-15 20:13:31 +0100
committer: Daniil Baturin <daniil@baturin.org> 2023-08-15 20:13:31 +0100
commit: 26d7ab49d92d5c665f5d6bc21375a21e22da33f6 (patch)
tree: 816b6f64e65e08ca28ddd531c16efae1ac032cad /src/conf_mode/interfaces-openvpn.py
parent: 1d6180b74cff43ddc73a0f708b348cade5a9f12d (diff)
download: vyos-1x-26d7ab49d92d5c665f5d6bc21375a21e22da33f6.tar.gz
vyos-1x-26d7ab49d92d5c665f5d6bc21375a21e22da33f6.zip
1 files changed, 16 insertions, 10 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 26b217d98..1d0feb56f 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -166,17 +166,23 @@ def verify_pki(openvpn):
             raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}')
 
     if tls:
-        if 'ca_certificate' not in tls:
-            raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}')
-
-        for ca_name in tls['ca_certificate']:
-            if ca_name not in pki['ca']:
-                raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
+        if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
+            raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\
+              it is required in server and client modes')
+        else:
+            if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls):
+                raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\
+                  on openvpn interface {interface} in site-to-site mode')
 
-        if len(tls['ca_certificate']) > 1:
-            sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca'])
-            if not verify_ca_chain(sorted_chain, pki['ca']):
-                raise ConfigError(f'CA certificates are not a valid chain')
+        if 'ca_certificate' in tls:
+            for ca_name in tls['ca_certificate']:
+                if ca_name not in pki['ca']:
+                    raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
+
+            if len(tls['ca_certificate']) > 1:
+                sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca'])
+                if not verify_ca_chain(sorted_chain, pki['ca']):
+                    raise ConfigError(f'CA certificates are not a valid chain')
 
         if mode != 'client' and 'auth_key' not in tls:
             if 'certificate' not in tls:
author	Daniil Baturin <daniil@baturin.org>	2023-08-15 20:13:31 +0100
committer	Daniil Baturin <daniil@baturin.org>	2023-08-15 20:13:31 +0100
commit	26d7ab49d92d5c665f5d6bc21375a21e22da33f6 (patch)
tree	816b6f64e65e08ca28ddd531c16efae1ac032cad /src/conf_mode/interfaces-openvpn.py
parent	1d6180b74cff43ddc73a0f708b348cade5a9f12d (diff)
download	vyos-1x-26d7ab49d92d5c665f5d6bc21375a21e22da33f6.tar.gz vyos-1x-26d7ab49d92d5c665f5d6bc21375a21e22da33f6.zip