From 3bfd91713a5c71fb7fb637c27e447aa8b72c1c6c Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Wed, 29 May 2024 13:58:17 +0100
Subject: openvpn: T6374: only check TLS role for s2s if TLS is configured
(cherry picked from commit f4069582273e1ee9916dea7de1e6ec176db81bc6)
---
src/conf_mode/interfaces_openvpn.py | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
(limited to 'src/conf_mode')
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 5b9c21757..627cc90ba 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -168,6 +168,14 @@ def verify_pki(openvpn):
'verification, consult the documentation for details.')
if tls:
+ if mode == 'site-to-site':
+ # XXX: site-to-site with PSKs is the only mode that can work without TLS,
+ # so 'tls role' is not mandatory for it,
+ # but we need to check that if it uses peer certificate fingerprints rather than PSKs,
+ # then the TLS role is set
+ if ('shared_secret_key' not in tls) and ('role' not in tls):
+ raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
+
if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\
it is required in server and client modes')
@@ -260,11 +268,6 @@ def verify(openvpn):
# OpenVPN site-to-site - VERIFY
#
elif openvpn['mode'] == 'site-to-site':
- # XXX: site-to-site is the only mode that still can work without TLS,
- # so we need to make sure that if TLS is used, then TLS role is also specified
- if 'shared_secret_key' not in openvpn['tls'] and 'role' not in openvpn['tls']:
- raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
-
if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn:
raise ConfigError('Must specify "local-address" or add interface to bridge')
--
cgit v1.2.3