| Message ID | eac80c73-e702-4d5c-b90a-fdaf4edd74f1@gmx.de |
|---|---|
| State | Accepted |
| Headers | show |
| Series | x509-username-fields improvements | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> This is an interesting find :-) - if we can do this, we can as well document it. Thanks. (I have not actually tested this, but "man OBJ_txt2obj" confirms) Your patch has been applied to the master branch. commit 9f17ad7c281360ec0e970af23f9ba0dc892665c6 Author: corubba via Openvpn-devel Date: Sat Feb 15 20:01:44 2025 +0100 Document x509-username-fields oid usage Signed-off-by: Corubba Smith <corubba@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <eac80c73-e702-4d5c-b90a-fdaf4edd74f1@gmx.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30916.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
Hi, On Thu, Feb 20, 2025 at 10:50:31AM +0100, Gert Doering wrote: > Acked-by: Gert Doering <gert@greenie.muc.de> > > This is an interesting find :-) - if we can do this, we can as well > document it. Thanks. > > (I have not actually tested this, but "man OBJ_txt2obj" confirms) > > Your patch has been applied to the master branch. > > commit 9f17ad7c281360ec0e970af23f9ba0dc892665c6 > Author: corubba via Openvpn-devel > Date: Sat Feb 15 20:01:44 2025 +0100 Ooops. My script merged this with the list-mangled From:, which my pre-push-hook refused, so I had to fix the commit and the new ID is now commit 680ad840bda4f869d16dac38fd9fa6a643dc10c0 Author: Corubba Smith <corubba@gmx.de> Date: Sat Feb 15 20:01:44 2025 +0100 Document x509-username-fields oid usage (same content, of course) gert
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 7882e924..0638d095 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -744,11 +744,13 @@ If the option is inlined, ``algo`` is always :code:`SHA256`. :: x509-username-field emailAddress + x509-username-field 1.2.840.113549.1.9.1 x509-username-field ext:subjectAltName x509-username-field CN serialNumber - The first example uses the value of the :code:`emailAddress` attribute - in the certificate's Subject field as the username. The second example + The first two examples use the value of the :code:`emailAddress` attribute + in the certificate's Subject field as the username, where the first example + uses the name while the second example uses the oid. The third example uses the :code:`ext:` prefix to signify that the X.509 extension ``fieldname`` :code:`subjectAltName` be searched for an rfc822Name (email) field to be used as the username. In cases where there are
When built against OpenSSL, the parameters of the x509-username-fields option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0] which accepts "long names and short names [...] as well as numerical forms." Because of this, you can for example use `x509-username-field 2.5.4.41` to make OpenVPN read the `name` field [1]. x509-username-fields is currently not implemented for mbed TLS, so that can be ignored. [0] https://docs.openssl.org/1.1.1/man3/OBJ_nid2obj/ [1] https://oidref.com/2.5.4.41 Signed-off-by: Corubba Smith <corubba@gmx.de> --- doc/man-sections/tls-options.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.48.1