From patchwork Sat Feb 15 19:01:44 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: corubba <corubba@gmx.de>
X-Patchwork-Id: 4148
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:9b51:b0:5e7:b9eb:58e8 with SMTP id b17csp932833max;
        Sat, 15 Feb 2025 11:02:01 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCWcsaC/aL76tJ/XQTFQEi8FI1ua1DpvW/Woc0jdFEXgUX/PpE9D2Y1oKeUxc9Vw4s23/MY5JqNpnVk=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IF3ndKCu+mrnByU8vZ5BPSN/Dis8cZPf0J6dzIfJQS9NxfTK0EJpmnNZD3S7+nh7/ElYHWs
X-Received: by 2002:a05:6e02:1569:b0:3d0:17d2:a02c with SMTP id
 e9e14a558f8ab-3d280a260ddmr29972485ab.20.1739646121498;
        Sat, 15 Feb 2025 11:02:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1739646121; cv=none;
        d=google.com; s=arc-20240605;
        b=KUzBLcJWh8oMqJe+77ZMVp681a+dnHGoSask5xOUbfKT1XNfxGpIGNHoplKLaJqoJQ
         ojHl3Wcc72Vsk45EN2j2/obLEsliQDtM7nasMCUSxh1lbdR1zhfzcrW158j2GdPZO89C
         TI0pMeWgfuxYyVANJPEDzOH1izl7QVd3CQMMVDGJAX+/Lu5H9JdYwrSmIHbDrUIa+P37
         X/IVBBZ9ug36izmf+MCgvpRZuYTgm065SllYl8XFx+c2JeoGlK4qcLdKsTl2Sk/P2h/R
         dol2WJS+2HD241WPFfE2yHODmau449A+m1msgePZp4Obdnr5XXEQBwfnkhf0wFB3UuQZ
         pLdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:ui-outboundreport:in-reply-to:content-language
         :references:to:user-agent:mime-version:date:message-id
         :dkim-signature:dkim-signature:dkim-signature;
        bh=/6N3QioTNG1WI1ZvXjJTcNkRvd+RREY9pzYqHBcc1KU=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=S6vIJsjWFE9n37rDMxr269yPpuUJoD6DKi18XJ01yl0HTTkptIInqCxrxvn+Szzzqo
         7JTTdydGq3+x5tr3VV1+2tCwQ4W4K58XBeA28bC9Fwv5HOA0YVx475rWvY5sPz/WeVg2
         s+ucgFoJtU5wFf8LH7isxsgACpaFvGQKfQjiEO6bPJiRrN4L0EdVf7kBuuyi18G7KEvT
         gHTLg1E3qCmeak0o/QCg0Paz6rHjBO/WAO1X+2ZhCACBSeb1lSO3Lwt5wPrk0Yqr+bKB
         Fyd48mwVbwRx8vIxEXFqPzPsHUpuNJD/0g1k2LZv2JzQEUvxTppaDtStOauur1to6WZZ
         Iw0Q==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=bDtRJOwq;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=JcufYE+r;
       dkim=neutral (body hash did not verify) header.i=@gmx.de
 header.s=s31663417 header.b=OF8eW1MT;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 e9e14a558f8ab-3d18fb8cfb2si37414795ab.142.2025.02.15.11.02.01
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 15 Feb 2025 11:02:01 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=bDtRJOwq;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=JcufYE+r;
       dkim=neutral (body hash did not verify) header.i=@gmx.de
 header.s=s31663417 header.b=OF8eW1MT;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1tjNQN-00057b-9p;
	Sat, 15 Feb 2025 19:01:59 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <corubba@gmx.de>) id 1tjNQL-00057U-Ua
 for openvpn-devel@lists.sourceforge.net;
 Sat, 15 Feb 2025 19:01:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:
 References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=cfdyynXQDQ2jIK2RQACi0oO55mpSiqKdby91MV+Fl+4=; b=bDtRJOwq27qkEZlDRhaRzcW1BI
 jCA+YFPNUe5bkgyxSW9ZneM89kGveD/Jlnt5LEK2HdYUr6Gnzc3iVuv9B6GUGNfHlJ3TkvLwXGp3R
 Ziagfa0FDWtYQB7zPUyVqVr7KP9R26WjhOCbK+Xympbz8ovvipxJn0KLHttl6D06oi0E=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From:
 Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=cfdyynXQDQ2jIK2RQACi0oO55mpSiqKdby91MV+Fl+4=; b=JcufYE+rcaibWCbBLLhWEUU6E0
 prw36rcbTjnSNNWc1JNNOHUJMObVAzMEPRJxRH24UkS25veCmYkJbr/huHFVDV01eNXOMwTFlJt7J
 Ss+Bu76oFeTAzRbcuVm5cVF51M2QWLtIJZzWCAHd5WoD2CDzvFb/C1vnZQJyqtd3Tjp8=;
Received: from mout.gmx.net ([212.227.17.20])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1tjNQK-00078w-U6 for openvpn-devel@lists.sourceforge.net;
 Sat, 15 Feb 2025 19:01:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de;
 s=s31663417; t=1739646105; x=1740250905; i=corubba@gmx.de;
 bh=cfdyynXQDQ2jIK2RQACi0oO55mpSiqKdby91MV+Fl+4=;
 h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To:
 References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc:
 content-transfer-encoding:content-type:date:from:message-id:
 mime-version:reply-to:subject:to;
 b=OF8eW1MTi8GtTtMhF7f6Hw3mYLDmwwSVrAg1Uid2hdNSjvUEsruxxFFMgQrqLsyv
 L32Kk1lf2c6qvc80HAZOVnMOBsEP0jpDwdd1MyXQcDTqK2IKO1+q2OLIv6NaTncwc
 KkqvQK+wxrKR/7HMsVzsL4lX1ez1iug16xW/zn76FLQuBvlADerApnpTn0aVojIsk
 /bL2cbIxyAWs65dihx1k6luOx0qnrKzbvy3m+FENyYfo341tIW1b5aUaAuyYXU2uG
 3YIOevGe7cXStXATIAYO9IPI/pmwTkwUSJVjRyvkKadrpdN2TLw1RsAb/UgOCxxV7
 CLXz8aYKyL6UXqS60w==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.44.3] ([83.135.91.182]) by mail.gmx.net (mrgmx105
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MrhUK-1sxv7l16Au-00aJ30 for
 <openvpn-devel@lists.sourceforge.net>; Sat, 15 Feb 2025 20:01:45 +0100
Message-ID: <eac80c73-e702-4d5c-b90a-fdaf4edd74f1@gmx.de>
Date: Sat, 15 Feb 2025 20:01:44 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: openvpn-devel@lists.sourceforge.net
References: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de>
Content-Language: de-CH
In-Reply-To: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de>
X-Provags-ID: V03:K1:dlHPByRidVftoEPdjShrwYXKIsTaIT080DuiHmG6vDv868H6cn8
 GIm/gkPTQTYS+gK+lsZ5sgRghxZl4H59OgpEYf7Cm+BRTdbxzQYFACiYcyeMIBv4UaiUAGJ
 kPdiKjOLYBD1qoYVR+8DwMFxuCk+B8D+couGSbaeXysnRzRN734h5nsFdkr/cO6eID5fym9
 OfecoAEVooy7lxW8qDkCA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:4Ue/10zUnbc=;AAvRR/2M7iH8eiCdpkx9RLSE6It
 rWtBjH/ZSjmcWCEe9RnnmraprhCmHPfU0I0GiU7iXne7bp3omSJ3aQTeNWDLwIBDVbD7PT+pz
 dIE+KyElYd7uLcAIit+IaWHHBbf3gtG/HRSmSU8jCdGnFPpgKfW9J4Dn+UiQRbvJLmyv7PQ0e
 v/v6/XaxMk94/FyP5bYOS58l9lj6bb9QCs/Tw7rPhudgOdEw84pDk5s+E7RJezNnxPKumy+wc
 UrCOEyB0ulgWCeQ/jjE8SRhe81KzLhK3N0lVKM56PVHW5HSl4cDMpInGAWk0anHUqJcuw7qg4
 4RZVi13cjwgL9zB1+SKWarAZGUZSpG3rEq0PT8Fj7LsLumQGgXJmhRPgorl5cJWcbT3hGqEGw
 dtIKx//4TaWeLCp+Uc67/wJhVVtzpRr1KZr4RVHd1rDNuz+H4WhP1wGqU9rldsIdf1mLgLBrO
 jFvB4vszyPoVXsTF4MTS0bLRmsK7hpO7jzX0fCk2uaCGoZIB12cvtK9hSebQ1Dchj6nIstP91
 ag4oZXlT+THYnLQ/zmiyT0DUHvqp+eoHz3kgE3QcjOwIArk7P34NeHInF0JQWR+Y3suHU0mSt
 vPAUdXOe/pQd31tJNXD8usqVcJfJVabbR8UFC7FYN/tFLZCO/EpCvYS/v1RoNoPjt5A7LUh39
 4h3gHqUt4zZKADRT7jYe4a5Ox9q9i97bjklpTzo14VMgz9tmtUCT+pjaI4k5jztFQd5eLa+yx
 PsRI5jPGvu8lFFUp/JkOIrCZHfe5nT2U0GkVSk6c+48zHXi4IcxEQAg3UWNv/kkeesIpGDNPa
 KkYytFAGTDlksEq/Ni44K9PVETRPfY2fX1h2Qb1OXBvxeHyLFVQNFDa6xXsgP/CblA/Ygex7N
 Hj0UA3FNFFsA30A1/KcZnhSNv0ZZy4lB3GiqwJNR468O+AR4h/qKykRPRXxSdPmKNa+1Aj5p2
 IpFOuJSNWOYpjkZqNRS5nRhWlJ1kjK6sAquFJQ0mov41vvJKfJSEJOkqMm9sOJiQyCXHVbi/B
 MqFg1nZMl851CPYTQoiZs7w9u+NHIIX2vvH1zJR/CScrpxwoAWOA9Xdwo17K5cCzZGDh70npK
 q6dBvzoTEbtVjbO9h2WlGqnPhkavBHcvy8CUOaLZ8Tn2Z3AEFCCSv+z5sBzFJFevoJxHcqZU4
 eLeSThyjDDlJ56mpt9T+s6UewZjdFLVToGwogRWpfk592UMqjsjAIMDnDUU6HPFiUiW4/x+RT
 67Kvsl95c9UQkvkaS/vEWopBkrsCcMeOpRLADvs7yJtYsduzuO7+siJVMZxiNFjotSZwfyl8D
 Ovki8q+IH52kDXRf2EqFf8ihQd8mctLXbVAN3G7xzxKJ52mk1lBNJXf5+3L4DedOGx5r9qyWR
 YysehUWFpDEvu5KxDgTFu1tA/k4LYLu1J5O7CmmqJdh+b79v/dKo7Ltkb9zTAfV4Vn4WksQsj
 /8sypUg==
X-Spam-Score: -0.8 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  When built against OpenSSL,
 the parameters of the x509-username-fields
 option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0] which
 accepts "long names and short names [...] as well as n [...]
 Content analysis details:   (-0.8 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
 low trust [212.227.17.20 listed in list.dnswl.org]
 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [212.227.17.20 listed in sa-accredit.habeas.com]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [212.227.17.20 listed in bl.score.senderscore.com]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
 blocklist [URIs: docs.openssl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [corubba[at]gmx.de]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [212.227.17.20 listed in wl.mailspike.net]
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Headers-End: 1tjNQK-00078w-U6
Subject: [Openvpn-devel] [PATCH 2/2] Document x509-username-fields oid usage
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
X-Patchwork-Original-From: corubba via Openvpn-devel
 <openvpn-devel@lists.sourceforge.net>
From: corubba <corubba@gmx.de>
Reply-To: corubba <corubba@gmx.de>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1824151171897175900?=
X-GMAIL-MSGID: =?utf-8?q?1824151171897175900?=

When built against OpenSSL, the parameters of the x509-username-fields
option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0]
which accepts "long names and short names [...] as well as numerical
forms." Because of this, you can for example use `x509-username-field
2.5.4.41` to make OpenVPN read the `name` field [1].

x509-username-fields is currently not implemented for mbed TLS, so that
can be ignored.

[0] https://docs.openssl.org/1.1.1/man3/OBJ_nid2obj/
[1] https://oidref.com/2.5.4.41

Signed-off-by: Corubba Smith <corubba@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 doc/man-sections/tls-options.rst | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--
2.48.1

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index 7882e924..0638d095 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -744,11 +744,13 @@ If the option is inlined, ``algo`` is always :code:`SHA256`.
   ::

      x509-username-field emailAddress
+     x509-username-field 1.2.840.113549.1.9.1
      x509-username-field ext:subjectAltName
      x509-username-field CN serialNumber

-  The first example uses the value of the :code:`emailAddress` attribute
-  in the certificate's Subject field as the username. The second example
+  The first two examples use the value of the :code:`emailAddress` attribute
+  in the certificate's Subject field as the username, where the first example
+  uses the name while the second example uses the oid. The third example
   uses the :code:`ext:` prefix to signify that the X.509 extension
   ``fieldname`` :code:`subjectAltName` be searched for an rfc822Name
   (email) field to be used as the username. In cases where there are