Menu
▾
▴
Re: [Openvpn-devel] [PATCH 3/3] add new option for X.509 name verification
|
From: Arne S. <ar...@rf...> - 2013-03-06 22:00:12
|
Am 22.02.13 10:44, schrieb Heiko Hund: > Add the option --verify-x509-name to provide the functionality > of the now deprecated --tls-remote. > > The new option accepts RFC 2253 subject DNs only and compares > RDN or RDN prefix only if configured explicitly. > I looked through these and I think they are okay. Since most users don't know what RDN, RDN prefix and DN are an example like A certificate with a DN CN=openvpn.example.com, OU=Avian IP Carriers, L=NRW would be matched by: verify-x509-name "C=DE, OU=BLINKT, CN=openvpn.blinkt.de" or verify-x509-name openvpn.blinkt.de subject or verify-x509-name openvpn.bl name-prefix Most user and certificates will probably use the second form with subject. I also think that for standard x509 certificates it may be a good option to also include name-suffix so you can do: verify-x509-name .blinkt.de name-suffix + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN + && strcmp (opt->verify_x509_name, common_name) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX + && strncmp (opt->verify_x509_name, common_name, + strlen (opt->verify_x509_name)) == 0) ) This is correct but it took me a while to understand that strcmp will compare the 0 btye in opt-verify_x509_name and strncmp with strln as length will not include the 0. The joys of C... Arne |
