Am 05.10.20 um 02:51 schrieb Vladislav Grishenko: > OpenVPN has the ability to choose different X509 field in case "CN" can > not be use used to be unique connected username since commit > 935c62be9c0c8a256112df818bfb8470586a23b6 "Choose a different field in > X509 to be username". > Unfortunately it's not enough in case when client has multiple and > valid certificates from PKI for different devices (ex. laptop, > mobile, etc) with the same CN/UID. > > Having --duplicate-cn as a workaround helps only partially: clients can > be connected, but it breaks coexistance with --ifconfig-pool-persist, > --client-config-dir and opens doors to DoS possibility since same client > device (with the same cert) being reconnected no more replaces previously > connected session, so it can exhaust server resources (ex. address pool) > and can prevent other clients to be connected. > > With this patch, multiple X509 fields incl. "serialNumber" can be chosen > to be username with --x509-username-field parameters, they will be > concatened into the one username using '_' separator. As long as the > resulting username is unique, --duplicate-cn will not be required. > Default field is preserved as "CN". > > Openssl backend is the only supported, since so far MbedTLS has no > --x509-username-field support at all. > > v2: conform C99, man update, fix typos > v3: reuse buffer methods, drop delimiter define, use memcpy > v4: man update, change separator "_" to avoid path issues on windows > v5: mention collision possibility with "_" separator in man > capitalize hex serialNumber value
> diff --git a/src/openvpn/ssl_verify_openssl.c > b/src/openvpn/ssl_verify_openssl.c > index 454efeec..34e1de01 100644 > --- a/src/openvpn/ssl_verify_openssl.c > +++ b/src/openvpn/ssl_verify_openssl.c > @@ -269,6 +269,21 @@ backend_x509_get_username(char *common_name, int cn_len, > return FAILURE; > } > } > + else if (strcmp(LN_serialNumber,x509_username_field) == 0) > + { Whitespace error after , Otherwise the patch looks good now. (We had informal reviews on IRC that prompted the newer versions) Acked-By: Arne Schwabe <a...@rfc2549.org>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel