From 88885981dbce2e074641c2819011c0649ab29d9b Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 1 Oct 2021 15:10:23 +0200
Subject: Do not use key CA certificate if peer-fingerprint is enabled

---
 .../main/java/de/blinkt/openvpn/VpnProfile.java    | 30 ++++++++++++----------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 9146af00..f4afb5ad 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -244,6 +244,18 @@ public class VpnProfile implements Serializable, Cloneable {
             return false;
     }
 
+    static public String getVersionEnvString(Context c) {
+        String version = "unknown";
+        try {
+            PackageInfo packageinfo = c.getPackageManager().getPackageInfo(c.getPackageName(), 0);
+            version = packageinfo.versionName;
+        } catch (PackageManager.NameNotFoundException e) {
+            VpnStatus.logException(e);
+        }
+        return String.format(Locale.US, "%s %s", c.getPackageName(), version);
+
+    }
+
     @Override
     public boolean equals(Object obj) {
         if (obj instanceof VpnProfile) {
@@ -472,8 +484,10 @@ public class VpnProfile implements Serializable, Cloneable {
                     if (ks != null) {
                         if (!TextUtils.isEmpty(mCaFilename)) {
                             cfg.append(insertFileData("ca", mCaFilename));
-                        }
-                        else if (!TextUtils.isEmpty(ks[0])) {
+                        } else if (!TextUtils.isEmpty(ks[0]) && !mCheckPeerFingerprint) {
+                            /* if we have enabled peer-fingerprint verification the certificate from
+                             * the keystore is more likely to screw things up than to fix anything
+                             */
                             cfg.append("<ca>\n").append(ks[0]).append("\n</ca>\n");
                         }
                         if (!TextUtils.isEmpty(ks[1]))
@@ -713,18 +727,6 @@ public class VpnProfile implements Serializable, Cloneable {
                 NativeUtils.getNativeAPI(), Build.BRAND, Build.BOARD, Build.MODEL);
     }
 
-    static public String getVersionEnvString(Context c) {
-        String version = "unknown";
-        try {
-            PackageInfo packageinfo = c.getPackageManager().getPackageInfo(c.getPackageName(), 0);
-            version = packageinfo.versionName;
-        } catch (PackageManager.NameNotFoundException e) {
-            VpnStatus.logException(e);
-        }
-        return String.format(Locale.US, "%s %s", c.getPackageName(), version);
-
-    }
-
     @NonNull
     private Collection<String> getCustomRoutes(String routes) {
         Vector<String> cidrRoutes = new Vector<>();
-- 
cgit v1.2.3