On Mon, Sep 19, 2022 at 12:07:40AM +0200, Antonio Quartulli wrote: > From: Mateusz Markowicz <ponie...@protonmail.com> > > When using "--verify-x509-name [hostname] subject-alt-name" hostname > will now be accepted also when matched against one of the > X509v3 Subject Alternative Name IP or DNS entries (instead of just > Subject's CN).
The code looks like it would do what it says, but the options are then very confusing, I think. So if you want to check the name against a SAN of type EMAIL you need to specify "x509-username-field ext:subjectAltName" but that will only match against the last SAN. But if you want to check against a SAN of type DNS or IP you need to specify "verify-x509-name [hostname] subject-alt-name", which does not allow the combination with other fields like x509-username-field but matches against all SANs. Huh? The design choices that went into the existing x509-username-field seem questionable in hindsight and don't give a good way of integrating this functionality. But having two completely separate implementations of "extract a name from SAN" seems wasteful as well. Don't have any good solutions to offer atm. Just noting the mess. Regards, -- Frank Lichtenheld _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
