diff options
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 2 | ||||
| -rw-r--r-- | interface-definitions/interfaces-openvpn.xml.in | 8 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 2 |
3 files changed, 9 insertions, 3 deletions
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 9e4cc6813..6aedc3786 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -176,6 +176,8 @@ tls-version-min {{ tls.tls_version_min }} {% endif %} {% if tls.dh_params is defined and tls.dh_params is not none %} dh /run/openvpn/{{ ifname }}_dh.pem +{% elif mode == 'server' and tls.private_key is defined %} +dh none {% endif %} {% if tls.auth_key is defined and tls.auth_key is not none %} {% if mode == 'client' %} diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 2ecac78e2..d67549d87 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -678,7 +678,7 @@ <properties> <help>Specify the minimum required TLS version</help> <completionHelp> - <list>1.0 1.1 1.2</list> + <list>1.0 1.1 1.2 1.3</list> </completionHelp> <valueHelp> <format>1.0</format> @@ -692,8 +692,12 @@ <format>1.2</format> <description>TLS v1.2</description> </valueHelp> + <valueHelp> + <format>1.3</format> + <description>TLS v1.3</description> + </valueHelp> <constraint> - <regex>^(1.0|1.1|1.2)$</regex> + <regex>^(1.0|1.1|1.2|1.3)$</regex> </constraint> </properties> </leafNode> diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 02b7f83bf..ce62a8b82 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -134,7 +134,7 @@ def verify_pki(openvpn): if tls['certificate'] not in pki['certificate']: raise ConfigError(f'Invalid certificate on openvpn interface {interface}') - if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected'): + if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected') is not None: raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}') if mode == 'server' and 'dh_params' not in tls and not is_ec_private_key(pki, tls['certificate']): |