On Sat, Apr 19, 2025 at 03:28:59PM +0000, Klemens Nanni wrote: > Very useful if you need to distinguish usernames for clients with multiple > certificates and/or want to verify more than just CN without having to call > a --tls-verify script or full-fledged module for that: > > --x509-username-fieldĀ args > Fields in the X.509 certificate subject to be used as the username > (default CN). If multiple fields are specified their values will > be concatenated into the one username using _ symbol as a > separator. > [...] > When this option is used, the --verify-x509-name option will match > against the chosen fieldname instead of the Common Name. > > Works great in my setup; I have not tested mbedtls.
Wrong time to omit a test build, it fails at configure time: configure: error: mbed TLS does not support the --x509-username-field feature I verified that the default behavior still works using the CN of the subject. > OK? ok for the diff below. Index: Makefile =================================================================== RCS file: /cvs/ports/net/openvpn/Makefile,v diff -u -p -r1.133 Makefile --- Makefile 3 Apr 2025 11:49:31 -0000 1.133 +++ Makefile 21 Apr 2025 17:14:19 -0000 @@ -1,6 +1,7 @@ COMMENT= easy-to-use, robust, and highly configurable VPN DISTNAME= openvpn-2.6.14 +REVISION= 0 CATEGORIES= net security @@ -39,7 +40,8 @@ WANTLIB += mbedcrypto mbedtls mbedx509 p # ensure 'pkcs11-providers .../p11-kit-proxy.so' as default BUILD_DEPENDS+= security/p11-kit LIB_DEPENDS+= security/pkcs11-helper -CONFIGURE_ARGS+= --enable-pkcs11 +CONFIGURE_ARGS+= --enable-pkcs11 \ + --enable-x509-alt-username WANTLIB += crypto pkcs11-helper ssl .endif -- jca
