ocserv: support custom server SSL certificate

[jacklovell]

Add UCI options for the path to the server's SSL certificate and private key. This enables the use of a certificate provided by an external certificate authority instead of the default self-signed certificate.

The self-signed certificate is still produced if it doesn't already exist, and is used by default. So this change should be transparent to existing users.

Fixes #23099.

📦 Package Details

Maintainer: @nmav

Description:
Add UCI options for the path to the server's SSL certificate and private key. This enables the use of a certificate provided by an external certificate authority instead of the default self-signed certificate.

---

🧪 Run Testing Details

• OpenWrt Version: 25.12
• OpenWrt Target/Subtarget: lantiq/xrx200
• OpenWrt Device: BT Home Hub 5a

---

✅ Formalities

• I have reviewed the CONTRIBUTING.md file for detailed contributing guidelines.

If your PR contains a patch:

• It can be applied using git am
• It has been refreshed to avoid offsets, fuzzes, etc., using

  make package/<your-package>/refresh V=s

• It is structured in a way that it is potentially upstreamable
  _{(e.g., subject line, commit description, etc.)
  We must try to upstream patches to reduce maintenance burden.}

[jacklovell]

I guess luci-app-ocserv should also be updated to support the new UCI options if this gets merged, but would it be better to do that in a separate PR or add the changes to this one?

[nmav]

LGTM

[nmav]

Shouldn't this go to master first and then to branch? Regarding luci, I'd keep these separate as a second step.

[jacklovell]

Shouldn't this go to master first and then to branch? Regarding luci, I'd keep these separate as a second step.

I don't know, this is my first time contributing to OpenWRT packages. I haven't tested it against snapshot, only 25.12. Though I have no reason to expect it wouldn't work on master.