In openvpn 2.3.0 the semantics of the --tls-remote option changed.
That broke more configurations than anticipated. To not break
configurations that use --tls-remote with a legacy OpenSSL style DN
anymore, it is now detected when such a DN is configured. When
necessary the --compat-names option is then automatically enabled.
Signed-off-by: Heiko Hund <heiko.h...@sophos.com>
---
src/openvpn/options.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index dd38bc9..7fda76f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6528,6 +6528,12 @@ add_option (struct options *options,
else if (streq (p[0], "tls-remote") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
+ /*
+ * Enable legacy openvpn format for DNs that have not been converted
+ * yet and X.509 common names (not containing an '=' or ', ')
+ */
+ if (p[1][0] == '/' || !strchr (p[1], '=') || !strstr (p[1], ", "))
+ compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
options->tls_remote = p[1];
}
else if (streq (p[0], "ns-cert-type") && p[1])
--
1.7.9.5
