Project

General

Profile

Actions

Feature #9884

closed

Add support for OpenVPN --x509-username-field

Added by Florian Apolloner about 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
11/05/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

The openvpn shipped with pfsense has enable_x509_alt_username=no as compilation option. It would be great if that could turn on to enable reading the CN from different fields in the subject DN. This is helpful to be used together with " Strict User-CN Matching " to match the supplied username against a subject alt name or another field in the subject DN.

Actions #1

Updated by Jim Pingle about 5 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from OpenVPN does not support --x509-username-field to Add support for OpenVPN --x509-username-field
  • Category changed from VPN (Multiple Types) to OpenVPN
  • Affected Version deleted (2.4.4-p3)
  • Affected Architecture deleted (amd64)

This isn't a bug, but a missing feature. Even if it is enabled, it would still need GUI code to configure the behavior.

There is an option in the FreeBSD port to enable it, X509ALTUSERNAME=yes, so it could be enabled in source:tools/conf/pfPorts/make.conf without requiring any alterations to the port itself.

Actions #2

Updated by Florian Apolloner about 5 years ago

Sorry, I realized that it's not a bug immediately after clicking save, but I cannot edit anything :/

Even if it is enabled, it would still need GUI code to configure the behavior.

One could enable it via "Custom options", so there is no real GUI need for it. Given that it is a rather special Option I'd be fine with doing that as a custom option.

Actions #3

Updated by Jim Pingle about 5 years ago

We currently force on username-as-common-name so I don't think you could override that behavior with this new option without some way to control which is used.

Actions #4

Updated by Florian Apolloner about 5 years ago

That is true, but it doesn't seem to affect "plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async" (which pfsense also generates) as this script still has the actual common name from the cert (which --x509-username-field would affect) in addition to the user. If this common_name were overriden by the username then "Strict User-CN Matching" would always be true (it isn't, I checked which prompted me to try --x509-username-field). Or do I miss something else here?

Actions #5

Updated by Jim Pingle almost 5 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

I'm not seeing any negative effects to enabling that build option, so it should be fine for testing.

Actions #6

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved
: pkg info openvpn | grep -i ALTUSER
    X509ALTUSERNAME: on

Also no apparent negative effects reported so far.

Actions

Also available in: Atom PDF