Package: openvpn Version: 2.1.0-2 Severity: wishlist Hi,
with LDAP deployments becoming more and more commonplace, private PKIs can be expected to try to create a mapping between the LDAP DNs of users and the DNs in their certificates. A typical LDAP DN at a Unix site looks like this: uid=username,ou=People,dc=somedomain,dc=tld It's entirely possible to issue a certificate to this DN as a subject. Alas, using such certificates with OpenVPN is currently impossible; an attempt to do so yields: VERIFY ERROR: could not extract Common Name from X509 subject string ('/UID=someuser/OU=People/DC=somedomain/DC=tld') -- note that the Common Name length is limited to 64 characters TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, client-instance restarting IIUC, the only point in parsing out the CN is to have a hopefully unique "friendly name" for the client. The --username-as-common-name option looks like a promising workaround, but unfortunately the failure to find a CN in the subject string still causes the connection to fail even if a remote username is supplied and username-as-common-name is enabled. Please implement one or more of the following: 1. If username-as-common-name is specified, use the remote username as the CN right away and don't even try to parse the CN out of the subject string. 2. Allow the administrator to specify a different attribute instead of CN to look for in the subject string (e.g. uid). This would not be ideal because while people would have uids, devices would still have CNs (so OpenVPN servers may have to deal with differently constructed DNs). 3. Allow the administrator to specify a list of attributes to look for in the subject string to use as CN. 4. Add an option to use the entire DN instead of only part of it to "name" the client. 5. Allow an external script or plugin to set OpenVPN's idea of the CN based on the client certificate (or just the subject string) and/or the username. Thanks Andras -- Andras Korn <korn at elan.rulez.org> - <http://chardonnay.math.bme.hu/~korn/> Just because nobody complains doesn’t mean all parachutes are perfect. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org