Opened 2 years ago

Last modified 2 years ago

#1289 new Bug / Defect

Using x509-username-field

Reported by: krishnamurthydv Owned by: Steffan Karger
Priority: major Milestone:
Component: Crypto Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:



We are using x509-username-field option in openvpn server configuration file as:

x509-username-field ext:subjectAltName
Our intention was to use Subject AltName? in the client certificate instead of their CN. Clients connecting to this server do have x509v3 extensions in their certificates (like example)
X509v3 Subject Alternative Name:,,


But when client tries to connect to the server we are seeing an error at the server and connection fails. Is there anything wrong in the configuration of anything missed?

Fri Jun 12 10:23:16 2020 us=970524 VERIFY ERROR: could not extract ext:subjectAltName from X509 subject string ('O=ABC, OU=abc-system,') -- note that the username length is limited to 64 characters

Change History (3)

comment:1 Changed 2 years ago by tct

Please see:

--x509-username-field [ext:]fieldname
    Field in the X.509 certificate subject to be used as the 
username (default=CN). Typically, this option is specified with 
fieldname as either of the following:

    --x509-username-field emailAddress
    --x509-username-field ext:subjectAltName

    The first example uses the value of the "emailAddress" 
attribute in the certificate's Subject field as the username. 
The second example uses the ext: prefix to signify that the 
X.509 extension fieldname "subjectAltName" be searched for an 
rfc822Name (email) field to be used as the username. In cases 
where there are multiple email addresses in ext:fieldname, the 
last occurrence is chosen. 

comment:2 Changed 2 years ago by krishnamurthydv

So looks like only email id in SAN is supported. Is that right? Are FQDNs not supported?
Is there any plans to add this is the near future?

comment:3 Changed 2 years ago by Gert Döring

Component: Generic / unclassifiedCrypto
Owner: set to Steffan Karger
Note: See TracTickets for help on using tickets.