Am 22.02.13 10:44, schrieb Heiko Hund:
I looked through these and I think they are okay. Since most users don't know what RDN, RDN prefix and DN are an example likeAdd the option --verify-x509-name to provide the functionality of the now deprecated --tls-remote.The new option accepts RFC 2253 subject DNs only and compares RDN or RDN prefix only if configured explicitly.
A certificate with a DN CN=openvpn.example.com, OU=Avian IP Carriers, L=NRW would be matched by:
verify-x509-name "C=DE, OU=BLINKT, CN=openvpn.blinkt.de" or verify-x509-name openvpn.blinkt.de subject or verify-x509-name openvpn.bl name-prefixMost user and certificates will probably use the second form with subject. I also think that for standard x509 certificates it may be a good option to also include name-suffix so you can do:
verify-x509-name .blinkt.de name-suffix + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN + && strcmp (opt->verify_x509_name, common_name) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX + && strncmp (opt->verify_x509_name, common_name, + strlen (opt->verify_x509_name)) == 0) )This is correct but it took me a while to understand that strcmp will compare the 0 btye in opt-verify_x509_name and strncmp with strln as length will not include the 0. The joys of C...
Arne
smime.p7s
Description: S/MIME Kryptografische Unterschrift
