diff --git a/config/ovpn/verify b/config/ovpn/verify index 1a1fcb501d..ed13a468d6 100644 --- a/config/ovpn/verify +++ b/config/ovpn/verify @@ -30,7 +30,7 @@ my $CN = $ARGV[1]; exit 0 unless ($DEPTH eq "0"); # Strip the CN from the X509 identifier. -$CN =~ /(\/|,\ )CN=(.*)$/i; +$CN =~ /(\/|,\ )?CN=([^,\/ ]+)?/i; $CN = $2; my %confighash = (); @@ -48,9 +48,17 @@ if (-f "${General::swroot}/ovpn/ovpnconfig"){ # Search for a matching CN. exit 0 if ($cn eq $CN); - # Compatibility code for incorrectly saved CNs. + # Compatibility code for incorrectly saved CNs: + + # 1) try to match an incorrectly saved CN + # See https://bugzilla.ipfire.org/show_bug.cgi?id=10552 + $cn =~ s/^([^\/]+)(\/.*)?$/$1/g; + + # 2) Handle OpenVPN's substitutions of space characters + # See http://lists.ipfire.org/pipermail/development/2013-January/000225.html $cn =~ s/\ /_/g; - exit 0 if ($cn eq $CN); + + exit 0 if ($cn eq $CN); } } diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b2ce05e97a..70e232a8a5 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3891,11 +3891,9 @@ if ($cgiparams{'TYPE'} eq 'net') { &deletebackupcert(); } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + my $temp = `/usr/bin/openssl x509 -subject -nameopt sep_multiline,sname,esc_ctrl,esc_msb -noout -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /^[\ ]{4}CN=(.+)$/m; $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; $cgiparams{'CERT_NAME'} = $temp; $cgiparams{'CERT_NAME'} =~ s/,//g; $cgiparams{'CERT_NAME'} =~ s/\'//g; @@ -3945,14 +3943,13 @@ if ($cgiparams{'TYPE'} eq 'net') { } } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + my $temp = `/usr/bin/openssl x509 -subject -nameopt sep_multiline,sname,esc_ctrl,esc_msb -noout -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /^[\ ]{4}CN=(.+)$/m; $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; $cgiparams{'CERT_NAME'} = $temp; $cgiparams{'CERT_NAME'} =~ s/,//g; $cgiparams{'CERT_NAME'} =~ s/\'//g; + if ($cgiparams{'CERT_NAME'} eq '') { unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; @@ -5111,7 +5108,9 @@ END }else { my $cn; + my $config_cn; my @match = (); + foreach my $line (@status) { chomp($line); if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { @@ -5119,8 +5118,16 @@ END if ($match[1] ne "Common Name") { $cn = $match[1]; } + #Handle OpenVPN's substitutions of space characters + # See http://lists.ipfire.org/pipermail/development/2013-January/000225.html $cn =~ s/[_]/ /g; - if ($cn eq "$confighash{$key}[2]") { + + # Work around incorrectly saved CNs + # See https://bugzilla.ipfire.org/show_bug.cgi?id=10552 . + $config_cn = $confighash{$key}[2]; + $config_cn =~ s/^([^\/]+)(\/.*)?/$1/g; + + if ($config_cn eq $cn) { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; }