Existing check didn't take into account the case when floated client is
lame duck (CN for lame duck is NULL), which allowed lame duck to float
to an address taken by another client.
As a fix we use cert_hash_compare function which, besides fixing
mentioned case, also allows lame duck to float to a
I've updated the OpenVPN protocol extension doc with additional details,
now that more of these features have been implemented in OpenVPN 3.
If you are implementing any of these features in OpenVPN 2.x, please
review so we can ensure that OpenVPN 2.x and 3 are on the same page with
respect to
