On July, I asked on the user-list how to obtain the certificate serial
number of an active client:
http://thread.gmane.org/gmane.network.openvpn.user/19913
just in case sombody needs it, you'll find a two-line-patch underneath.
I get now in my log:
VERIFY OK: depth=0, serial=79,
emailAddress=pace/C=DE/ST=BW/L=Esslingen/O=Esslingen/OU=RZ/CN=OpenVPN2
It looks to work with openssl-issued-certificates, but shows always "-1"
with MS-certificateservices-issued-certificates (at least at me). The
reason could be the strange serialnumber (e.g.
"25:87:30:51:00:03:00:00:1e:e5") given out by MS.
Patrick
--- ssl.c.orig 2007-09-02 16:42:32.000000000 +0200
+++ ssl.c 2007-09-02 16:32:58.000000000 +0200
@@ -753,8 +753,8 @@
if (!retval)
goto err;
}
-
- msg (D_HANDSHAKE, "VERIFY OK: depth=%d, %s", ctx->error_depth, subject);
+ long serial = ASN1_INTEGER_get (X509_get_serialNumber (ctx->current_cert));
+ msg (D_HANDSHAKE, "VERIFY OK: depth=%d, serial=%ld, %s", ctx->error_depth,
serial, subject);
session->verified = true;
return 1; /* Accept connection */
