VPN: OpenVPN: Instances - when cert_depth is left empty, it should …

…ignore the value. #7228 (comment) Changing allowed to the depth found should have this effect.
opnsense · Mar 12, 2024 · 519f4cb · 519f4cb
1 parent 52eed1a
commit 519f4cb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/opnsense/scripts/openvpn/tls_verify.php b/src/opnsense/scripts/openvpn/tls_verify.php
@@ -42,7 +42,7 @@ function do_verify($serverid)
         return "OpenVPN '$serverid' was not found. Denying authentication for user {$username}";
     }
     $certificate_depth = getenv('certificate_depth') !== false ? getenv('certificate_depth') : 0;
-    $allowed_depth = !empty($a_server['cert_depth']) ? $a_server['cert_depth'] : 1;
+    $allowed_depth = !empty($a_server['cert_depth']) ? $a_server['cert_depth'] : $certificate_depth;
     if ($certificate_depth > $allowed_depth) {
         return "Certificate depth {$certificate_depth} exceeded max allowed depth of {$allowed_depth}.";
     } elseif ($a_server['use_ocsp'] && $certificate_depth == 0) {