diff options
| author | Daniil Baturin <daniil@baturin.org> | 2023-08-15 20:13:31 +0100 |
|---|---|---|
| committer | Daniil Baturin <daniil@baturin.org> | 2023-08-15 20:13:31 +0100 |
| commit | 26d7ab49d92d5c665f5d6bc21375a21e22da33f6 (patch) | |
| tree | 816b6f64e65e08ca28ddd531c16efae1ac032cad /src | |
| parent | 1d6180b74cff43ddc73a0f708b348cade5a9f12d (diff) | |
| download | vyos-1x-26d7ab49d92d5c665f5d6bc21375a21e22da33f6.tar.gz vyos-1x-26d7ab49d92d5c665f5d6bc21375a21e22da33f6.zip | |
T5271: allow the user to specify either CA or peer fingerprint
in OpenVPN site-to-site mode
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 26b217d98..1d0feb56f 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -166,17 +166,23 @@ def verify_pki(openvpn): raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') if tls: - if 'ca_certificate' not in tls: - raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}') - - for ca_name in tls['ca_certificate']: - if ca_name not in pki['ca']: - raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + if (mode in ['server', 'client']) and ('ca_certificate' not in tls): + raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ + it is required in server and client modes') + else: + if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls): + raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\ + on openvpn interface {interface} in site-to-site mode') - if len(tls['ca_certificate']) > 1: - sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) - if not verify_ca_chain(sorted_chain, pki['ca']): - raise ConfigError(f'CA certificates are not a valid chain') + if 'ca_certificate' in tls: + for ca_name in tls['ca_certificate']: + if ca_name not in pki['ca']: + raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + + if len(tls['ca_certificate']) > 1: + sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) + if not verify_ca_chain(sorted_chain, pki['ca']): + raise ConfigError(f'CA certificates are not a valid chain') if mode != 'client' and 'auth_key' not in tls: if 'certificate' not in tls: |