Chris J Arges wrote:
This patch allows one to specify --pkcs11-id auto to automatically
select the first certificate on a pkcs11 device. This simplifies
scripts and usage in environments where clients may only use a single
certificate for connecting to a VPN.
Based on a patch by Oliver Dumschat-H
This patch set tries to do X.509 name verification right. As discussed
during FOSDEM 2013, changing --tls-remote to support RFC 2253 style
subject DNs only was too radical as it broke more configurations than
expected.
This makes --tls-remote work with old configurations again, but
deprecates its
The option is just an alias for --compat-names no-remapping and is
introduced so pre-2.3 server configurations don't break.
Signed-off-by: Heiko Hund
---
doc/openvpn.8 | 32 +++-
src/openvpn/options.c | 21 ++---
2 files changed, 37 inserti
In openvpn 2.3.0 the semantics of the --tls-remote option changed.
That broke more configurations than anticipated. To not break
configurations that use --tls-remote with a legacy OpenSSL style DN
anymore, it is now detected when such a DN is configured. When
necessary the --compat-names option is
Add the option --verify-x509-name to provide the functionality
of the now deprecated --tls-remote.
The new option accepts RFC 2253 subject DNs only and compares
RDN or RDN prefix only if configured explicitly.
Signed-off-by: Heiko Hund
---
doc/openvpn.8| 78 +++