Re: [Openvpn-users] want to confirm: verify-x509-name for cert DNS check

Sun, 13 Dec 2015 03:32:31 -0800 

Hi Jason,

On 13-12-15 05:25, Jason Haar wrote:
> So am I correct in saying that if a client is configured to only use
> "verify-x509-name xxxx.yyyy name" to validate server, so as long as the
> server cert contains "xxxx.yyyy" as one of it's "Subject alternative
> names", the client is happy

No, verify-x509-name does not do anything with Subject alt names. It 
validates the peer certificate subject (or a specific part of the 
subject, if you use the 'name' or 'name-prefix' types).  I think the man 
page explains this quite accurately:

  --verify-x509-name name type
         Accept connections only if a host's X.509 name is equal to name.
         The remote host must also pass all other tests of verification.

         Which  X.509  name is compared to name depends on the setting of
         type.  type can be "subject" to match the  complete  subject  DN
         (default),  "name"  to  match  a subject RDN or "name-prefix" to
         match a subject RDN prefix.   Which  RDN  is  verified  as  name
         depends  on the --x509-username-field option. But it defaults to
         the common name (CN), e.g.  a  certificate  with  a  subject  DN
         "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:

         --verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' and
         --verify-x509-name Server-1 name or you could use --verify-
         x509-name Server- name-prefix if you want a client to only
         accept connections to "Server-1", "Server-2", etc.

> So... I could configure the client to connect to the servers IP address,
> or some entirely unrelated "aaaa.bbbb" DNS alias - and it would be
> happy, because the server cert contains "xxxx.yyyy" as one of it's name
> options? ie there's no need for the other DNS aliases to be part of the
> server cert?

Yes (but see above).  In OpenVPN, the address of a server is not taken 
into account for certificate validation, so you can happily change it's 
address and/or ip, update your client config, but keep your certificates.

-Steffan


------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to