OpenVPN: Fix for '--ns-cert-type server is deprecated' .

- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration,
so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type'
if the host certificate are newely generated with this options.
Nevertheless both directives (old and new) will work also with old CAs.

- Automatic detection if the host certificate uses the new options.
If it does, '--remote-cert-tls server' will be automatically set into the client
configuration files for Net-to-Net and Roadwarriors connections.

If it does NOT, the old '--ns-cert-type server' directive will be set in the client
configuration file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config/ovpn/openssl/ovpn.cnf

@@ -77,6 +77,8 @@ basicConstraints		= CA:FALSE
 nsComment			= "OpenSSL Generated Certificate"
 subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
+extendedKeyUsage               = clientAuth
+keyUsage                       = digitalSignature
 
 [ server ]
 
@@ -86,6 +88,8 @@ nsCertType			= server
 nsComment			= "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always 
+extendedKeyUsage               = serverAuth
+keyUsage                       = digitalSignature, keyEncipherment
 
 [ v3_req ]
 basicConstraints 		= CA:FALSE