优化证书认证逻辑，增加回退用户认证功能，可选仅证书认证

2025-09-14 07:04:19 +08:00 · 2025-08-22 12:48:41 +08:00
parent 02a49b30a7
commit a44f2d6161
6 changed files with 24 additions and 14 deletions
--- a/server/conf/profile.xml
+++ b/server/conf/profile.xml
@@ -13,6 +13,8 @@
        <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
        <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
        <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
+        <CertificateStore>User</CertificateStore>
+        <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
        <CertificateMatch>
            <KeyUsage>
                <MatchKey>Digital_Signature</MatchKey>
@@ -20,7 +22,6 @@
            <ExtendedKeyUsage>
                <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
            </ExtendedKeyUsage>
-        <CertificateStore>User</CertificateStore>
        </CertificateMatch>

    </ClientInitialization>
--- a/server/conf/server-sample.toml
+++ b/server/conf/server-sample.toml
@@ -10,10 +10,10 @@ db_source = "./conf/anylink.db"
 cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"

-#是否启用独立证书验证,开启后客户端连接需要携带证书
-#如果不开启则使用用户名密码验证
-auth_alone_cert = false
-
+# 开启后支持证书验证，客户端未提供证书或证书验证失败，则回退到用户名密码验证
+auth_cert = false
+# 开启后仅支持证书验证，客户端只能使用证书验证，不开启则回退用户名密码验证
+auth_only_cert = false
 #客户端证书CA证书
 client_cert_ca_file = "./conf/client_ca.pem"
 #客户端证书CA密钥