Am 21.04.25 um 23:44 schrieb Klemens Nanni:
This allows for accepting clients based on their certificate authority: x509-username-field issuer CN verify-x509-name ...CA=ExampleCA_ match-prefix`tls-verify` or `plugin` can do the equivalent, but require additional code execution and always incur overhead or may not be an option when running with reduced privileges, e.g. `chroot`
I am trying to understand the use case for this patch. Issuer is only something you can trust and verify if you verified the fingerprint of the certificate or that the certificate is issued by a given CA. But if it is already verified to belong to a trusted CA, then you don't need issuer CN anymore.
I would also be good to try to add a unit test. Since is is probably a quite exotic use case, this will not be tested regularly and as such is in danger to be become broken and since this an auth related option that might then be an authentication bypass. We really want to avoid that.
Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
