Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-29 14:17:03 +01:00
Code Issues Projects Releases Wiki Activity

fix: show revoked clients in listClients() for fingerprint mode

Browse Source 
In fingerprint mode, revoked clients are removed from the peer-fingerprint
block but their cert files still exist. Now we scan all certs in pki/issued/
and mark those not in the fingerprint block as 'revoked'.
This commit is contained in:
Stanislas Lange
2025-12-29 12:00:11 +01:00
parent 257b3ed8fc
commit 796f35fd05
1 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
openvpn-install.sh
View File

@@ -3663,11 +3663,24 @@ function listClients() {
local clients_data=() local clients_data=()
if [[ $auth_mode == "fingerprint" ]]; then if [[ $auth_mode == "fingerprint" ]]; then
# Fingerprint mode: get clients from server.conf peer-fingerprint block # Fingerprint mode: get clients from certificates in pki/issued/
# All clients in the block are valid (revoked clients are removed) # Valid clients have their fingerprint in server.conf, revoked ones don't
local clients_list local valid_clients
clients_list=$(getClientsFromFingerprints) valid_clients=$(getClientsFromFingerprints)
number_of_clients=$(echo "$clients_list" | grep -c . || echo 0)
# Get all client certificates (exclude server certs)
local all_clients=()
for cert_file in "$cert_dir"/*.crt; do
[[ ! -f "$cert_file" ]] && continue
local client_name
client_name=$(basename "$cert_file" .crt)
# Skip server certificates and backup files
[[ "$client_name" == server_* ]] && continue
[[ "$client_name" == *.bak ]] && continue
all_clients+=("$client_name")
done
number_of_clients=${#all_clients[@]}
if [[ $number_of_clients == '0' ]]; then if [[ $number_of_clients == '0' ]]; then
if [[ $format == "json" ]]; then if [[ $format == "json" ]]; then
@@ -3678,9 +3691,15 @@ function listClients() {
return return
fi fi
while read -r client_name; do for client_name in "${all_clients[@]}"; do
[[ -z "$client_name" ]] && continue [[ -z "$client_name" ]] && continue
local status_text="valid" local status_text
# Check if client is in the valid fingerprints list
if echo "$valid_clients" | grep -qx "$client_name"; then
status_text="valid"
else
status_text="revoked"
fi
local cert_file="$cert_dir/$client_name.crt" local cert_file="$cert_dir/$client_name.crt"
local expiry_date="unknown" local expiry_date="unknown"
local days_remaining="null" local days_remaining="null"
@@ -3703,7 +3722,7 @@ function listClients() {
fi fi
clients_data+=("$client_name|$status_text|$expiry_date|$days_remaining") clients_data+=("$client_name|$status_text|$expiry_date|$days_remaining")
done <<<"$clients_list" done
else else
# PKI mode: get clients from index.txt # PKI mode: get clients from index.txt
# Exclude server certificates (CN starting with server_) # Exclude server certificates (CN starting with server_)