From 6ee383dffcc09f6c193784a5f8ad7eabe4137c92 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 4 Jul 2022 16:54:45 +0200
Subject: [PATCH] security/stunnel: remove optional setting
 chainIntermediateCAs and ship chain by default. ref
 https://github.com/opnsense/plugins/pull/2854

While working on the documentation I noticed my previous comment was wrong, which also invalidates the need for an optional setting. When it comes to the "CAfile" setting, the chain shouldn't be provided, for the listener (the server cert) it shouldn't matter at all if you ship the chain since it's not part of the authentication.

This commits simplifies https://github.com/opnsense/plugins/pull/2854 by removing the option. The current documentation online doesn't need any modifications for this.
---
 .../OPNsense/Stunnel/forms/dialogService.xml          | 11 -----------
 .../mvc/app/models/OPNsense/Stunnel/Stunnel.xml       |  6 +-----
 .../src/opnsense/scripts/stunnel/generate_certs.php   | 10 ++++------
 3 files changed, 5 insertions(+), 22 deletions(-)

diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
index dc8008bd9..2b7f7bb64 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
@@ -41,17 +41,6 @@
         <type>dropdown</type>
         <help><![CDATA[Select a certificate to use for this service.]]></help>
     </field>
-    <field>
-        <id>service.chainIntermediateCAs</id>
-        <label>Chain intermediate CAs</label>
-        <type>checkbox</type>
-        <advanced>true</advanced>
-        <help><![CDATA[
-          Bundle the selected certificate with its intermediate certificate authorities together to form a certificate chain.
-          If you plan to use PKI to identify clients, you usually don't want to enable this as it expands the trust chain to all
-          certificates created by any of the parent certificates.
-          ]]></help>
-    </field>
     <field>
         <id>service.cacert</id>
         <label>CA to validate connections to</label>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index d81c05a6a..13e2f02fd 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.4</version>
+    <version>1.0.3</version>
     <description>
         Stunnel TLS encryption proxy
     </description>
@@ -81,10 +81,6 @@
                     <Type>cert</Type>
                     <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
                 </servercert>
-                <chainIntermediateCAs type="BooleanField">
-                    <default>0</default>
-                    <Required>Y</Required>
-                </chainIntermediateCAs>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
index a28ac6919..4aeb667e4 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -46,12 +46,10 @@ foreach ($stunnel->services->service->iterateItems() as $service) {
         foreach ($configObj->cert as $cert) {
             if ($srv_certid == (string)$cert->refid) {
                 $all_certs["{$base_path}/{$this_uuid}.crt"] = base64_decode((string)$cert->crt);
-                if (!empty((string)$service->chainIntermediateCAs)) {
-                    $certArr = (array)$cert;
-                    $chain = ca_chain($certArr);
-                    if (!empty($chain)) {
-                        $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . $chain;
-                    }
+                $certArr = (array)$cert;
+                $chain = ca_chain($certArr);
+                if (!empty($chain)) {
+                    $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . $chain;
                 }
                 $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . base64_decode((string)$cert->prv);
             }