Bug #3602
closed
I am not sure what's the bug here? AFAICT OpenVPN only tries to match user against Common Name (not SAN!) in the client certificate (and forcing that is not even enabled by default, there is a Strict User/CN Matching checkbox for this purpose.) Other than that, as long as the certificate has been issued by the peer CA you configured and is not on the CRL, it will be accepted.
It really would be better to start some forum thread before filing bugs like this.
- Status changed from New to Rejected
That is correct. OpenVPN only checks that the cert is a valid cert (not expired, not revoked) from the same CA as the server. The strict user/CN matching should only match the CN against the authenticated username. There is no bug here as described.
Also available in: Atom
PDF