From fa2518576638532aa3b23d4d72d77abc0c3f21d3 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Wed, 9 Aug 2023 19:59:15 +0100 Subject: openvpn: T5271: add peer certificate fingerprint option --- data/templates/openvpn/server.conf.j2 | 8 ++++++++ interface-definitions/interfaces-openvpn.xml.in | 10 ++++++++++ 2 files changed, 18 insertions(+) diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index d144529f3..a9bd45370 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -200,6 +200,14 @@ tls-client {% elif tls.role is vyos_defined('passive') %} tls-server {% endif %} + +{% if peer_fingerprint is vyos_defined %} + +{% for fp in peer_fingerprint %} +{{ fp }} +{% endfor %} + +{% endif %} {% endif %} # Encryption options diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 127a8179b..831659250 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -752,6 +752,16 @@ + + + + Peer certificate SHA256 fingerprint + + [0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2} + + Peer certificate fingerprint must be a colon-separated SHA256 hex digest + + Specify the minimum required TLS version -- cgit v1.2.3