Add support for OpenVPN --x509-username-field
The openvpn shipped with pfsense has enable_x509_alt_username=no as compilation option. It would be great if that could turn on to enable reading the CN from different fields in the subject DN. This is helpful to be used together with " Strict User-CN Matching " to match the supplied username against a subject alt name or another field in the subject DN.
#1 Updated by Jim Pingle 4 months ago
- Tracker changed from Bug to Feature
- Subject changed from OpenVPN does not support --x509-username-field to Add support for OpenVPN --x509-username-field
- Category changed from VPN (Multiple Types) to OpenVPN
- Affected Version deleted (
- Affected Architecture deleted (
This isn't a bug, but a missing feature. Even if it is enabled, it would still need GUI code to configure the behavior.
There is an option in the FreeBSD port to enable it,
X509ALTUSERNAME=yes, so it could be enabled in source:tools/conf/pfPorts/make.conf without requiring any alterations to the port itself.
#2 Updated by Florian Apolloner 4 months ago
Sorry, I realized that it's not a bug immediately after clicking save, but I cannot edit anything :/
Even if it is enabled, it would still need GUI code to configure the behavior.
One could enable it via "Custom options", so there is no real GUI need for it. Given that it is a rather special Option I'd be fine with doing that as a custom option.
#4 Updated by Florian Apolloner 4 months ago
That is true, but it doesn't seem to affect "plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async" (which pfsense also generates) as this script still has the actual common name from the cert (which --x509-username-field would affect) in addition to the user. If this common_name were overriden by the username then "Strict User-CN Matching" would always be true (it isn't, I checked which prompted me to try --x509-username-field). Or do I miss something else here?