The following patch fixes CN maximum length as discussed with Steffan
Kargen at openvpn users mailing list.
Signed-off-by: Jorge Peixoto <jorgepeix...@gmail.com>
---
src/openvpn/ssl_verify.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index ad50458..73488fc 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -47,7 +47,7 @@
#endif
/** Maximum length of common name */
-#define TLS_USERNAME_LEN 64
+#define TLS_USERNAME_LEN 65
/** Legal characters in an X509 name with --compat-names */
#define X509_NAME_CHAR_CLASS
(CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH|CC_COLON|CC_EQUAL)
@@ -625,7 +625,7 @@ verify_cert(struct tls_session *session,
openvpn_x509_cert_t *cert, int cert_dep
"limited to %d characters",
opt->x509_username_field,
subject,
- TLS_USERNAME_LEN);
+ TLS_USERNAME_LEN-1);
goto cleanup;
}
}
@@ -1165,7 +1165,7 @@ verify_user_pass(struct user_pass *up, struct
tls_multi *multi,
/* check sizing of username if it will become our common name */
if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) &&
strlen (up->username) >= TLS_USERNAME_LEN)
{
- msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name
specified and username is longer than the maximum permitted Common
Name length of %d characters", TLS_USERNAME_LEN);
+ msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name
specified and username is longer than the maximum permitted Common
Name length of %d characters", TLS_USERNAME_LEN-1);
s1 = OPENVPN_PLUGIN_FUNC_ERROR;
}
--
1.9.1
