Re: [Openvpn-devel] [PATCH v5] Support X509 field list to be username

Mon, 05 Oct 2020 01:28:14 -0700 

Am 05.10.20 um 02:51 schrieb Vladislav Grishenko:
> OpenVPN has the ability to choose different X509 field in case "CN" can
> not be use used to be unique connected username since commit
> 935c62be9c0c8a256112df818bfb8470586a23b6 "Choose a different field in
> X509 to be username".
> Unfortunately it's not enough in case when client has multiple and
> valid certificates from PKI for different devices (ex. laptop,
> mobile, etc) with the same CN/UID.
> 
> Having --duplicate-cn as a workaround helps only partially: clients can
> be connected, but it breaks coexistance with --ifconfig-pool-persist,
> --client-config-dir and opens doors to DoS possibility since same client
> device (with the same cert) being reconnected no more replaces previously
> connected session, so it can exhaust server resources (ex. address pool)
> and can prevent other clients to be connected.
> 
> With this patch, multiple X509 fields incl. "serialNumber" can be chosen
> to be username with --x509-username-field parameters, they will be
> concatened into the one username using '_' separator. As long as the
> resulting username is unique, --duplicate-cn will not be required.
> Default field is preserved as "CN".
> 
> Openssl backend is the only supported, since so far MbedTLS has no
> --x509-username-field support at all.
> 
> v2: conform C99, man update, fix typos
> v3: reuse buffer methods, drop delimiter define, use memcpy
> v4: man update, change separator "_" to avoid path issues on windows
> v5: mention collision possibility with "_" separator in man
>     capitalize hex serialNumber value

> diff --git a/src/openvpn/ssl_verify_openssl.c 
> b/src/openvpn/ssl_verify_openssl.c
> index 454efeec..34e1de01 100644
> --- a/src/openvpn/ssl_verify_openssl.c
> +++ b/src/openvpn/ssl_verify_openssl.c
> @@ -269,6 +269,21 @@ backend_x509_get_username(char *common_name, int cn_len,
>              return FAILURE;
>          }
>      }
> +    else if (strcmp(LN_serialNumber,x509_username_field) == 0)
> +    {

Whitespace error after ,

Otherwise the patch looks good now. (We had informal reviews on IRC that
prompted the newer versions)

Acked-By: Arne Schwabe <a...@rfc2549.org>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to