add new option for X.509 name verification

Add the option --verify-x509-name to provide the functionality
of the now deprecated --tls-remote.

The new option accepts RFC 2253 subject DNs only and compares
RDN or RDN prefix only if configured explicitly.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1362670601-18660-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7376
Signed-off-by: Gert Doering <gert@greenie.muc.de>

1 files changed, 69 insertions, 13 deletions

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 998f7ab..d590714 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3431,7 +3431,7 @@ the authenticated username as the common name,
 rather than the common name from the client cert.
 .\"*********************************************************
 .TP
-.B \-\-compat\-names [no\-remapping]
+.B \-\-compat\-names [no\-remapping] (DEPRECATED)
 Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted
 like this:
 .IP
@@ -3467,17 +3467,20 @@ The
 mode flag can be used with the
 .B
 \-\-compat\-names
-option to be compatible with the now deprecated \-\-no\-name\-remapping feature
-present in older OpenVPN versions. When this mode flag is used, the Common Name,
+option to be compatible with the now deprecated \-\-no\-name\-remapping option.
+It is only available at the server. When this mode flag is used, the Common Name,
 Subject, and username strings are allowed to include any printable character
 including space, but excluding control characters such as tab, newline, and
-carriage-return.
+carriage-return. no-remapping is only available on the server side.
 
 .B Please note:
-This option will not be around for a long time.  It is only implemented
+This option is immediately deprecated.  It is only implemented
 to make the transition to the new formatting less intrusive.  It will be
-removed either in OpenVPN v2.4 or v2.5.  So please make sure you start
-the process to support the new formatting as soon as possible.
+removed either in OpenVPN v2.4 or v2.5.  So please make sure you use the
+.B \-\-verify-x509-name
+option instead of
+.B \-\-tls-remote
+as soon as possible and update your scripts where necessary.
 .\"*********************************************************
 .TP
 .B \-\-no\-name\-remapping (DEPRECATED)
@@ -3485,7 +3488,7 @@ The
 .B \-\-no\-name\-remapping
 option is an alias for
 .B \-\-compat\-names\ no\-remapping.
-It ensures compatibility with configurations using the
+It ensures compatibility with server configurations using the
 .B \-\-no\-name\-remapping
 option.
 
@@ -4671,11 +4674,11 @@ is available via the peer_cert environment variable.
 Field in x509 certificate subject to be used as username (default=CN).
 .B Fieldname
 will be uppercased before matching. When this option is used, the
---tls-remote option will match against the chosen fieldname instead
-of the CN.
+.B \-\-verify-x509-username
+option will match against the chosen fieldname instead of the CN.
 .\"*********************************************************
 .TP
-.B \-\-tls-remote name
+.B \-\-tls-remote name (DEPRECATED)
 Accept connections only from a host with X509 name
 or common name equal to
 .B name.
@@ -4707,6 +4710,59 @@ option to verify the remote host, because
 works in a
 .B \-\-chroot
 environment too.
+
+.B Please also note:
+This option is now deprecated.  It will be removed either in OpenVPN v2.4
+or v2.5.  So please make sure you support the new X.509 name formatting
+described with the
+.B \-\-compat-names
+option as soon as possible by updating your configurations to use
+.B \-\-verify-x509-name
+instead.
+.\"*********************************************************
+.TP
+.B \-\-verify-x509-name name type
+Accept connections only if a host's X.509 name is equal to
+.B name.
+The remote host must also pass all other tests of verification.
+
+Which X.509 name is compared to
+.B name
+depends on the setting of type.
+.B type
+can be "subject" to match the complete subject DN (default),
+"name" to match a subject RDN or "name-prefix" to match a subject RDN prefix.
+Which RDN is verified as name depends on the
+.B \-\-x509-username-field
+option. But it defaults to the common name (CN), e.g. a certificate with a
+subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:
+
+.B \-\-verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
+and
+.B \-\-verify-x509-name Server-1 name
+or you could use
+.B \-\-verify-x509-name Server- name-prefix
+if you want a client to only accept connections to "Server-1", "Server-2", etc.
+
+.B \-\-verify-x509-name
+is a useful replacement for the
+.B \-\-tls-verify
+option to verify the remote host, because
+.B \-\-verify-x509-name
+works in a
+.B \-\-chroot
+environment without any dependencies.
+
+Using a name prefix is a useful alternative to managing
+a CRL (Certificate Revocation List) on the client, since it allows the client
+to refuse all certificates except for those associated
+with designated servers.
+
+.B NOTE:
+Test against a name prefix only when you are using OpenVPN with
+a custom CA certificate that is under your control.
+Never use this option with type "name-prefix" when your client certificates
+are signed by a third party, such as a commercial web CA.
 .\"*********************************************************
 .TP
 .B \-\-x509-track attribute
@@ -4744,7 +4800,7 @@ a man-in-the-middle attack where an authorized client
 attempts to connect to another client by impersonating the server.
 The attack is easily prevented by having clients verify
 the server certificate using any one of
-.B \-\-ns-cert-type, \-\-tls-remote,
+.B \-\-ns-cert-type, \-\-verify-x509-name,
 or
 .B \-\-tls-verify.
 .\"*********************************************************
@@ -4802,7 +4858,7 @@ a man-in-the-middle attack where an authorized client
 attempts to connect to another client by impersonating the server.
 The attack is easily prevented by having clients verify
 the server certificate using any one of
-.B \-\-remote-cert-tls, \-\-tls-remote,
+.B \-\-remote-cert-tls, \-\-verify-x509-name,
 or
 .B \-\-tls-verify.
 .\"*********************************************************