The change from using system() to execve() introduced as part of the defensive programming changes in r3122 breaks the supplied verify-cn script and recommended usage of multiple arguments with the --tls-verify option.
>From openvpn(8): "Note that cmd can be a shell command with multiple arguments, in which case all OpenVPN-generated arguments will be appended to cmd to build a command line which will be passed to the script." Of course, by using execve() instead of system() this is no longer true. Multiple arguments are interpreted as part of the script file name itself. I use a script with tls-verify that's similar to the supplied verify-cn, in that it checks the Organizational Unit of the certificate against the one supplied via command line (and thus, specified in the config file). I'd rather not hardcode the comparison name, and it would be my preference not to pass it as an environment variable either. Is there another workaround that would let me specify aditional parameters to the tls-verify script from the config file? At the very least, the man page and the header of the verify-cn script should be updated to reflect that this behavior is no longer supported. Thanks!
