Very useful if you need to distinguish usernames for clients with multiple
certificates and/or want to verify more than just CN without having to call
a --tls-verify script or full-fledged module for that:
--x509-username-fieldĀ args
Fields in the X.509 certificate subject to be used as the username
(default CN). If multiple fields are specified their values will
be concatenated into the one username using _ symbol as a
separator.
[...]
When this option is used, the --verify-x509-name option will match
against the chosen fieldname instead of the Common Name.
Works great in my setup; I have not tested mbedtls.
OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.133 Makefile
--- Makefile 3 Apr 2025 11:49:31 -0000 1.133
+++ Makefile 17 Apr 2025 11:14:18 -0000
@@ -1,6 +1,7 @@
COMMENT= easy-to-use, robust, and highly configurable VPN
DISTNAME= openvpn-2.6.14
+REVISION= 0
CATEGORIES= net security
@@ -24,7 +25,8 @@ CONFIGURE_STYLE= gnu
CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
-CONFIGURE_ARGS+=--with-openssl-engine=no
+CONFIGURE_ARGS= --enable-x509-alt-username \
+ --with-openssl-engine=no
DEBUG_PACKAGES= ${BUILD_PACKAGES}
