OpenVPN can authenticate via a broken certificate
See bug 3470 (https://redmine.pfsense.org/issues/3470).
#1 Updated by Doktor Notor about 6 years ago
I am not sure what's the bug here? AFAICT OpenVPN only tries to match user against Common Name (not SAN!) in the client certificate (and forcing that is not even enabled by default, there is a Strict User/CN Matching checkbox for this purpose.) Other than that, as long as the certificate has been issued by the peer CA you configured and is not on the CRL, it will be accepted.
It really would be better to start some forum thread before filing bugs like this.
#2 Updated by Jim Pingle about 6 years ago
- Status changed from New to Rejected
That is correct. OpenVPN only checks that the cert is a valid cert (not expired, not revoked) from the same CA as the server. The strict user/CN matching should only match the CN against the authenticated username. There is no bug here as described.