summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorGiga Murphy <giga1699@gmail.com>2025-07-24 00:18:27 +0000
committerChristian Breunig <christian@breunig.cc>2025-12-29 07:11:33 +0100
commitbb7476e1a2f61504f274823ced93c5bb608a76c6 (patch)
tree75db95dca7a1be5d70d2ffa45a19b961bfd4c193 /src
parent51036f9d188bd7e0061a6c8c4798fb2b0ce63297 (diff)
downloadvyos-1x-bb7476e1a2f61504f274823ced93c5bb608a76c6.tar.gz
vyos-1x-bb7476e1a2f61504f274823ced93c5bb608a76c6.zip
T7635: OpenConnect Certificate Authentication
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vpn_openconnect.py15
1 files changed, 12 insertions, 3 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 68cd363f0..8522a325b 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -105,11 +105,17 @@ def verify(ocserv):
if 'authentication' in ocserv:
if 'mode' in ocserv['authentication']:
if (
- 'local' in ocserv['authentication']['mode']
- and 'radius' in ocserv['authentication']['mode']
+ ('local' in ocserv['authentication']['mode']
+ and 'radius' in ocserv['authentication']['mode'])
+ or
+ ('local' in ocserv['authentication']['mode']
+ and 'certificate' in ocserv['authentication']['mode'])
+ or
+ ('radius' in ocserv['authentication']['mode']
+ and 'certificate' in ocserv['authentication']['mode'])
):
raise ConfigError(
- 'OpenConnect authentication modes are mutually-exclusive, remove either local or radius from your configuration'
+ 'OpenConnect authentication modes are mutually-exclusive. Only one of local, radius, or certificate.'
)
if 'radius' in ocserv['authentication']['mode']:
if 'server' not in ocserv['authentication']['radius']:
@@ -203,6 +209,9 @@ def verify(ocserv):
raise ConfigError('SSL certificate missing on OpenConnect config!')
verify_pki_certificate(ocserv, ocserv['ssl']['certificate'])
+ if 'ca_certificate' not in ocserv['ssl'] and 'certificiate' in ocserv['authentication']['mode']:
+ raise ConfigError('CA certificate must be provided in certificate authentication mode!')
+
if 'ca_certificate' in ocserv['ssl']:
for ca_cert in ocserv['ssl']['ca_certificate']:
verify_pki_ca_certificate(ocserv, ca_cert)