Bug#580899: Please support certificates where a CN attribute is not part of the subject DN

[Andras Korn]

Package: openvpn
Version: 2.1.0-2
Severity: wishlist

Hi,

with LDAP deployments becoming more and more commonplace, private PKIs can
be expected to try to create a mapping between the LDAP DNs of users and the
DNs in their certificates.

A typical LDAP DN at a Unix site looks like this:

uid=username,ou=People,dc=somedomain,dc=tld

It's entirely possible to issue a certificate to this DN as a subject. Alas,
using such certificates with OpenVPN is currently impossible; an attempt to
do so yields:

VERIFY ERROR: could not extract Common Name from X509 subject string 
('/UID=someuser/OU=People/DC=somedomain/DC=tld') -- note that the Common Name 
length is limited to 64 characters
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, client-instance restarting

IIUC, the only point in parsing out the CN is to have a hopefully unique
"friendly name" for the client. The --username-as-common-name option looks
like a promising workaround, but unfortunately the failure to find a CN in
the subject string still causes the connection to fail even if a remote
username is supplied and username-as-common-name is enabled.

Please implement one or more of the following:

1. If username-as-common-name is specified, use the remote username as the
CN right away and don't even try to parse the CN out of the subject string.

2. Allow the administrator to specify a different attribute instead of CN to
look for in the subject string (e.g. uid). This would not be ideal because
while people would have uids, devices would still have CNs (so OpenVPN
servers may have to deal with differently constructed DNs).

3. Allow the administrator to specify a list of attributes to look for in
the subject string to use as CN.

4. Add an option to use the entire DN instead of only part of it to "name"
the client.

5. Allow an external script or plugin to set OpenVPN's idea of the CN based
on the client certificate (or just the subject string) and/or the username.

Thanks

Andras

-- 
 Andras Korn <korn at elan.rulez.org> - <http://chardonnay.math.bme.hu/~korn/>
    Just because nobody complains doesn’t mean all parachutes are perfect.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org