summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-openvpn.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/interfaces-openvpn.py')
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 6b5a3363e..b75b6dc1b 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -38,6 +38,7 @@ from vyos.validate import is_addr_assigned
from vyos.validate import is_ipv6
from vyos.configverify import verify_vrf
from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_diffie_hellman_length
from vyos import ConfigError
from vyos import airbag
@@ -229,7 +230,6 @@ def verify(openvpn):
if 'remote_host' in openvpn:
raise ConfigError('Cannot specify "remote-host" in server mode')
- tmp = dict_search('tls.dh_file', openvpn)
if 'tls' in openvpn:
if 'dh_file' not in openvpn['tls']:
if 'key_file' in openvpn['tls'] and not checkCertHeader('-----BEGIN EC PRIVATE KEY-----', openvpn['tls']['key_file']):
@@ -415,6 +415,9 @@ def verify(openvpn):
if file and not checkCertHeader('-----BEGIN DH PARAMETERS-----', file):
raise ConfigError(f'Specified dh-file "{file}" is not valid')
+ if file and not verify_diffie_hellman_length(file, 2048):
+ raise ConfigError(f'Minimum DH key-size is 2048 bits')
+
tmp = dict_search('tls.role', openvpn)
if tmp:
if openvpn['mode'] in ['client', 'server']:
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-24 06:26:31 +0000