| Message ID | 20251119135243.30967-1-gert@greenie.muc.de |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel,v2] doc: Document potential filesystem pitfalls of client-config-dir | expand |
Just documentation (welcome, of course ;-) ) but not much to test here.
Your patch has been applied to the master branch.
commit 8d278223df96e74e9b7ad8ae962ac28761a6fb19
Author: Frank Lichtenheld
Date: Wed Nov 19 14:52:38 2025 +0100
doc: Document potential filesystem pitfalls of client-config-dir
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1380
Message-Id: <20251119135243.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34541.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 5243a06..739be22 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -144,6 +144,16 @@ ``--push-reset``, ``--push-remove``, ``--iroute``, ``--ifconfig-push``, ``--vlan-pvid`` and ``--config``. + **Note:** OpenVPN uses the CN exactly as written in the certificate. + But since this is a file access the filesystem might interfere. + Importantly OpenVPN will consider two CNs that only differ in case as + different names but a case-insensitive filesystem (like you might + encounter on Windows or macOS) will treat them as the same. When you + generate your certificates make sure that the CNs are sufficiently + different to not cause issues. When trusting an external CA note that + this is a potential attack vector via maliciously generated + certificates that exploit this issue. + --client-to-client Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The