You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
If username-as-common-name is configured, I assume that the common name is replaced by the users username. However the common_name is empty for a management client, if management-client-auth is used.
if management-client-auth management client does validation based on the common name, it would break if username-as-common-name is configured and no common name is given. In conclusion, the same username-as-common-name logic need to be replicated.
In case username-as-common-name hits after authentication, a configuration hint from OpenVPN point of view would nice that the management client receives this info out of the box.
To Reproduce
Setup OpenVPN Server with username-as-common-name and verify-client-cert
Setup Management interface auch connect via telnet.
Connect via OpenVPN client to the server
Observe the client connection
Expected behavior
If username-as-common-name is configured I expect that >CLIENT:ENV,username=myself and >CLIENT:ENV,common_name=myself having the same values.
Version information (please complete the following information):
Expected behavior If username-as-common-name is configured I expect that >CLIENT:ENV,username=myself and >CLIENT:ENV,common_name=myself having the same values.
In this case the common_name is set to username only after authentication, so you will not see it in CLIENT:ENV when CLIENT:CONNECT cid kid is received. This command is issued before username and password are verified, and is indeed meant for the management client to do the user/pass authentication.
Subsequent messages like CLIENT:ESTABLISHED should contain the replaced common_name in CLIENT:ENV.
This is explained in the man page of recent versions:
--username-as-common-name
Use the authenticated username as the common-name, rather than the
common-name from the client certificate. Requires that some form of
--auth-user-pass verification is in effect. As the replacement happens after
--auth-user-pass verification, the verification script or plugin will still receive
the common-name from the certificate.
The common_name environment variable passed to scripts and plugins invoked
after authentication (e.g, client-connect script) and filenames parsed in client-config
directory will match the username.
Describe the bug
If
username-as-common-name
is configured, I assume that the common name is replaced by the users username. However the common_name is empty for a management client, ifmanagement-client-auth
is used.Example:
Server Configuration:
Management Client:
if
management-client-auth
management client does validation based on the common name, it would break ifusername-as-common-name
is configured and no common name is given. In conclusion, the sameusername-as-common-name
logic need to be replicated.In case
username-as-common-name
hits after authentication, a configuration hint from OpenVPN point of view would nice that the management client receives this info out of the box.To Reproduce
Expected behavior
If
username-as-common-name
is configured I expect that>CLIENT:ENV,username=myself
and>CLIENT:ENV,common_name=myself
having the same values.Version information (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: