security/stunnel: remove optional setting chainIntermediateCAs and ship chain by default. ref https://github.com/opnsense/plugins/pull/2854

While working on the documentation I noticed my previous comment was wrong, which also invalidates the need for an optional setting. When it comes to the "CAfile" setting, the chain shouldn't be provided, for the listener (the server cert) it shouldn't matter at all if you ship the chain since it's not part of the authentication.

This commits simplifies https://github.com/opnsense/plugins/pull/2854 by removing the option. The current documentation online doesn't need any modifications for this.

security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml

@@ -41,17 +41,6 @@
         <type>dropdown</type>
         <help><![CDATA[Select a certificate to use for this service.]]></help>
     </field>
-    <field>
-        <id>service.chainIntermediateCAs</id>
-        <label>Chain intermediate CAs</label>
-        <type>checkbox</type>
-        <advanced>true</advanced>
-        <help><![CDATA[
-          Bundle the selected certificate with its intermediate certificate authorities together to form a certificate chain.
-          If you plan to use PKI to identify clients, you usually don't want to enable this as it expands the trust chain to all
-          certificates created by any of the parent certificates.
-          ]]></help>
-    </field>
     <field>
         <id>service.cacert</id>
         <label>CA to validate connections to</label>

security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml

@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.4</version>
+    <version>1.0.3</version>
     <description>
         Stunnel TLS encryption proxy
     </description>
@@ -81,10 +81,6 @@
                     <Type>cert</Type>
                     <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
                 </servercert>
-                <chainIntermediateCAs type="BooleanField">
-                    <default>0</default>
-                    <Required>Y</Required>
-                </chainIntermediateCAs>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>

security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php

@@ -46,12 +46,10 @@ foreach ($stunnel->services->service->iterateItems() as $service) {
         foreach ($configObj->cert as $cert) {
             if ($srv_certid == (string)$cert->refid) {
                 $all_certs["{$base_path}/{$this_uuid}.crt"] = base64_decode((string)$cert->crt);
-                if (!empty((string)$service->chainIntermediateCAs)) {
-                    $certArr = (array)$cert;
-                    $chain = ca_chain($certArr);
-                    if (!empty($chain)) {
-                        $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . $chain;
-                    }
+                $certArr = (array)$cert;
+                $chain = ca_chain($certArr);
+                if (!empty($chain)) {
+                    $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . $chain;
                 }
                 $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . base64_decode((string)$cert->prv);
             }