diff options
author | John Estabrook <jestabro@vyos.io> | 2023-08-16 09:09:10 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-16 09:09:10 -0500 |
commit | 9cdc76fe5badcf44cf38ea82ed89332b32d9d62b (patch) | |
tree | 9bb955c7f2f7b623bb05970f3db3383b04de2f9e /src | |
parent | 3a3e490a198a10b6a05d5a0e2f1487ebfd6551a0 (diff) | |
parent | 26d7ab49d92d5c665f5d6bc21375a21e22da33f6 (diff) | |
download | vyos-1x-9cdc76fe5badcf44cf38ea82ed89332b32d9d62b.tar.gz vyos-1x-9cdc76fe5badcf44cf38ea82ed89332b32d9d62b.zip |
Merge pull request #2150 from dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 26b217d98..1d0feb56f 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -166,17 +166,23 @@ def verify_pki(openvpn): raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') if tls: - if 'ca_certificate' not in tls: - raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}') - - for ca_name in tls['ca_certificate']: - if ca_name not in pki['ca']: - raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + if (mode in ['server', 'client']) and ('ca_certificate' not in tls): + raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ + it is required in server and client modes') + else: + if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls): + raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\ + on openvpn interface {interface} in site-to-site mode') - if len(tls['ca_certificate']) > 1: - sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) - if not verify_ca_chain(sorted_chain, pki['ca']): - raise ConfigError(f'CA certificates are not a valid chain') + if 'ca_certificate' in tls: + for ca_name in tls['ca_certificate']: + if ca_name not in pki['ca']: + raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + + if len(tls['ca_certificate']) > 1: + sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) + if not verify_ca_chain(sorted_chain, pki['ca']): + raise ConfigError(f'CA certificates are not a valid chain') if mode != 'client' and 'auth_key' not in tls: if 'certificate' not in tls: |