Closed jwsi closed 4 years ago
I'm not very familiar with OpenVPN 3, but I know it only implements a subset of the configuration options that are available in OpenVPN 2. Some options like remote-cert-tls
might be compatibility shims to allow loading a wider range of OpenVPN configuration files. That said, I'm purely guessing here.
That is correct, @mattock. There are some options which have not been implemented in OpenVPN 3. We want to reduce this feature gap for those options which it makes sense to let live further (we have a lot of obscure options which we might not need any more). Both --remote-cert-tls
and --verify-x509-name
are really a strong candidates for getting a port.
Just following up on this one. I've checked that --remote-cert-tls
is supported in the current master branch. See openvpn/ssl/kuparse.hpp:68 for details.
@dsommers now that the --remote-cert-tls
directive is ported do you know if there are any plans to include --verify-x509-name
too?
Yes, --verify-x509-name
is on our todo list. I don't have an ETA, but I will most likely look into in not too far future.
Spotted some commits (7bd55e0a7b56ba443f55b6760ee341aa22e7ed0b) that add this functionality, thanks a lot!
Will give it a test in due course, however I thought I'd just leaving a friendly bump about this issue in case it is closeable!
That's correct! I've been testing this in openvpn3-linux, with good success so far. It got a peer-review during our OpenVPN Hackathon last week, just forgot to update this ticket.
The complete list of commits required is: 7bd55e0a - mbedtls: Add support for --verify-x509-name ae6bf893 - mbedtls: Add unit tests for x509_get_subject() and x509_get_common_name() fc060bd3 - mbedtls: Move x509_get_subject() and x509_get_common_name() to an independent file 7900c71f - mbedtls: Add missing include file in x509cert.hpp 61ba6e9c - openssl: Add unit tests for OpenSSLPKI::x509get*() functions 5f881fe7 - openssl: Move generic X.509 cert extraction code to a separate file 58398692 - openssl: Add --verify-x509-name support 71a14a35 - verify-x509-name: Implement base class for processing this option
Hey there,
Upon inspection, the
remote-cert-tls
directive has no effect in configurations. You can useremote-cert-tls server
orremote-cert-tls client
without any effects being observed so no checks seem to be taking place.remote-cert-ku
andremote-cert-eku
seem to be working well along withns-cert-type
(which is now deprecated).Furthermore,
verify-x509-name
doesn't even seem to be recognised as an option.James