From patchwork Wed Nov 19 13:52:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4615 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:3515:b0:7b1:439f:bdf with SMTP id ss21csp151412mab; Wed, 19 Nov 2025 05:53:15 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCW7zu+WuxjPXK7k0T5IhmSc9Ms2JWbs3NpouAWlDfBIl+rJk93p61e5SklmsKssI/UnbgUwS81e9QQ=@openvpn.net X-Google-Smtp-Source: AGHT+IFOJCCk+ZWg/GaWTZI0UjT8dkzjw4/s32yFfHmngEt0uM/KiLKfT6M6yCybjSGeg/MbpCBy X-Received: by 2002:a05:6870:1610:b0:3e8:9e31:7fbb with SMTP id 586e51a60fabf-3e89e31a40fmr7149432fac.35.1763560395240; Wed, 19 Nov 2025 05:53:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763560395; cv=none; d=google.com; s=arc-20240605; b=WoX2v9P1Qwyl3n6BSI2U1VYKUr4+AlInVWOPFZR3BjypQgiBOxYXUrKtDwwXdAF4XZ aXqXqkhbbrDZ4X2AwM8AF5CFCT3kzPr/I5829AWvvzqZz8dyHTabblSFCsNxsK7YyhdQ CRFhEnWUDARimYuwRjotymIT1Bnlu4dq1OMUhoXtH9IvMY/CCXpxPce32YuCZXpOPZg7 1Mc1jqbZbbrWWNg1/YUBL/Vx8Qr7NIEXCxEY+frfmDXCrcIrmASYzKJ7GkNybJDbk9J+ YVjlOLcMkWA8yVXcu+bNggjrKzkaJlI5LMNcYtclzTUM6v0thX2TB+VL42GlOyihUbng ISew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=YnqPFKWp+uJJTCGNYZdsp9dXe9Zsg37MvLMmPeNUFmI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=GB8yGuxcZkponYHUMFKjsKEXQBjmWVXB08iH36shkoXMs+bj5YoOqEEDmCS1oKIHrd hqTuV3Pu+hv+d/IRZSsTNi13bmYpNnc8oVNe7gSNx/BiXgfpg7WO+zD6/Z/O4jo429xa YgFtbLXeVnKlUKrUCFizTr9+5GOvCdiSvvELzd77UO8GbmoNO6m/LlDS64rPPbjNxmCt Z0B+t3YghXas8tvJj9pNmw3+jq23wKMTxJcTKe5seu3f+D1zMoLNjJrPmVFyh7iUNCN0 iZb40Xg8LXrGJHL5NaN06vHcKC1HVBFcqPy6yIhSfbMymWnQoP9LYXA9ja+e4GfuulJg 0lIw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dUspJ++8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lDgeUtLK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lfvdrtFm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3e85237af67si6528241fac.367.2025.11.19.05.53.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Nov 2025 05:53:15 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dUspJ++8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lDgeUtLK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lfvdrtFm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=YnqPFKWp+uJJTCGNYZdsp9dXe9Zsg37MvLMmPeNUFmI=; b=dUspJ++89/Kndx6YUk6G0NEW9Y iW4M9Vf75cCkhb1kye9s3qKf+ob7qkkDepaL35777DOujuhp2PJL+EhZc34KRfIr8HDqqLTN4hpQ/ hFgFj+OAgSsNxxLfICirm26lHae6SPIVxGmEsmn4lPDaLbSgMNEQcaSI0z1ocHLI+6WU=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vLicS-000128-TW; Wed, 19 Nov 2025 13:53:12 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vLicR-00011h-K1 for openvpn-devel@lists.sourceforge.net; Wed, 19 Nov 2025 13:53:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=w1GFNtc/Kz+01yWHbdnTrDd992AbccZdQEUTO1ijxUw=; b=lDgeUtLK3/oBtl7I4QvjLHY6Wx CYiTYskxWFRpYAS0G54kugfCLaAlSiKj/uit06deGYAc55oVTejCs0oy4HOJjmucZtdbg/dZ8Hs5N 1QKaOpmWVAuCLhwGAkpLBsLB0pGxBWXa3U8J6DS1E2jHB7OqR4Yqsro1fppsAEC/d1Y4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=w1GFNtc/Kz+01yWHbdnTrDd992AbccZdQEUTO1ijxUw=; b=lfvdrtFmPfcDvOEg0JgpqGh1mF OxdV00zXx3g6D+AUUs2qR6l6UtU7BgdwgVLaJSAUgVoCSYTZal+L2Qfuwx6U/o7u2yrkozTEfaEbQ prFlHCOMeR7aIeHUmzE6KDL/2dp1HpqwMCmXv5B/uwBO4RLweZMiti3w2iKXANENqIck=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vLicC-000856-1i for openvpn-devel@lists.sourceforge.net; Wed, 19 Nov 2025 13:52:56 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AJDqi8o031001 for ; Wed, 19 Nov 2025 14:52:44 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AJDqiSi030989 for openvpn-devel@lists.sourceforge.net; Wed, 19 Nov 2025 14:52:44 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 19 Nov 2025 14:52:38 +0100 Message-ID: <20251119135243.30967-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Reported-By: stefan@srlabs.de Change-Id: I23ea00dbd62271838aa72e913b743cc679ff2386 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: htt [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vLicC-000856-1i Subject: [Openvpn-devel] [PATCH v2] doc: Document potential filesystem pitfalls of client-config-dir X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1849227104530653691?= X-GMAIL-MSGID: =?utf-8?q?1849227104530653691?= From: Frank Lichtenheld Reported-By: stefan@srlabs.de Change-Id: I23ea00dbd62271838aa72e913b743cc679ff2386 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1380 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1380 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 5243a06..739be22 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -144,6 +144,16 @@ ``--push-reset``, ``--push-remove``, ``--iroute``, ``--ifconfig-push``, ``--vlan-pvid`` and ``--config``. + **Note:** OpenVPN uses the CN exactly as written in the certificate. + But since this is a file access the filesystem might interfere. + Importantly OpenVPN will consider two CNs that only differ in case as + different names but a case-insensitive filesystem (like you might + encounter on Windows or macOS) will treat them as the same. When you + generate your certificates make sure that the CNs are sufficiently + different to not cause issues. When trusting an external CA note that + this is a potential attack vector via maliciously generated + certificates that exploit this issue. + --client-to-client Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The