T7635: OpenConnect Certificate Authentication

giga1699 · giga1699 · commit fbd653e80f49 · 2025-08-19T01:39:12.000Z
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
@@ -30,14 +30,14 @@ auth = "plain[otp=/run/ocserv/users.oath]"
 {%     else %}
 auth = "plain[/run/ocserv/ocpasswd]"
 {%     endif %}
-{% elif "cert" in authentication.mode %}
+{% elif "certificate" in authentication.mode %}
 auth = "certificate"
-{%     if authentication.mode.cert == "cn" %}
+{%     if authentication.mode.certificate == "cn" %}
 cert-user-oid = 2.5.4.3
-{%     elif authentication.mode.cert == "uid" %}
+{%     elif authentication.mode.certificate == "uid" %}
 cert-user-oid = 0.9.2342.19200300.100.1.1
 {%     else %}
-cert-user-oid = {{ authentication.mode.cert }}
+cert-user-oid = {{ authentication.mode.certificate }}
 {%     endif %}
 {% else %}
 auth = "plain[/run/ocserv/ocpasswd]"
diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
@@ -69,7 +69,7 @@
                       <valueless/>
                     </properties>
                   </leafNode>
-                  <leafNode name="cert">
+                  <leafNode name="certificate">
                     <properties>
                       <help>Use certificate based authentication</help>
                       <valueHelp>
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
@@ -108,13 +108,13 @@ def verify(ocserv):
                  and 'radius' in ocserv['authentication']['mode'])
                 or
                 ('local' in ocserv['authentication']['mode']
-                 and 'cert' in ocserv['authentication']['mode'])
+                 and 'certificate' in ocserv['authentication']['mode'])
                 or
                 ('radius' in ocserv['authentication']['mode']
-                 and 'cert' in ocserv['authentication']['mode'])
+                 and 'certificate' in ocserv['authentication']['mode'])
             ):
                 raise ConfigError(
-                    'OpenConnect authentication modes are mutually-exclusive. Only one of local, radius, or cert.'
+                    'OpenConnect authentication modes are mutually-exclusive. Only one of local, radius, or certificate.'
                 )
             if 'radius' in ocserv['authentication']['mode']:
                 if 'server' not in ocserv['authentication']['radius']:
@@ -208,7 +208,7 @@ def verify(ocserv):
         raise ConfigError('SSL certificate missing on OpenConnect config!')
     verify_pki_certificate(ocserv, ocserv['ssl']['certificate'])
 
-    if 'ca_certificate' not in ocserv['ssl'] and 'cert' in ocserv['authentication']['mode']:
+    if 'ca_certificate' not in ocserv['ssl'] and 'certificiate' in ocserv['authentication']['mode']:
         raise ConfigError('CA certificate must be provided in certificate authentication mode!')
 
     if 'ca_certificate' in ocserv['ssl']:
