Opened 4 years ago
Last modified 4 years ago
#1289 new Bug / Defect
Using x509-username-field
Reported by: | krishnamurthydv | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Crypto | Version: | OpenVPN 2.4.7 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Hi
We are using x509-username-field option in openvpn server configuration file as:
....
tcp-nodelay
x509-username-field ext:subjectAltName
....
Our intention was to use Subject AltName? in the client certificate instead of their CN. Clients connecting to this server do have x509v3 extensions in their certificates (like example)
....
X509v3 Subject Alternative Name:
DNS:client1.abc.io, DNS:client2.abc.io, DNS:client3.abc.io
....
But when client tries to connect to the server we are seeing an error at the server and connection fails. Is there anything wrong in the configuration of anything missed?
Fri Jun 12 10:23:16 2020 us=970524 119.82.104.234:39962 VERIFY ERROR: could not extract ext:subjectAltName from X509 subject string ('O=ABC, OU=abc-system, CN=client1.abc.io') -- note that the username length is limited to 64 characters
Change History (3)
comment:1 Changed 4 years ago by
comment:2 Changed 4 years ago by
So looks like only email id in SAN is supported. Is that right? Are FQDNs not supported?
Is there any plans to add this is the near future?
comment:3 Changed 4 years ago by
Component: | Generic / unclassified → Crypto |
---|---|
Owner: | set to Steffan Karger |
Please see: