summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorAndris Kalnozols <andris@hpl.hp.com>2014-06-28 19:41:02 +0200
committerGert Doering <gert@greenie.muc.de>2014-07-10 20:09:27 +0200
commitf4e0ad82b0eaccce965074c1ceec2b7e3853dc0d (patch)
tree74225765d72d074259ba5cb4fd710d8c4fcd7d5d /doc
parent0c21b2dba9fca5f3e7effc45a495be1f5a9d0246 (diff)
downloadopenvpn-f4e0ad82b0eaccce965074c1ceec2b7e3853dc0d.tar.gz
openvpn-f4e0ad82b0eaccce965074c1ceec2b7e3853dc0d.tar.xz
openvpn-f4e0ad82b0eaccce965074c1ceec2b7e3853dc0d.zip
Do not upcase x509-username-field for mixed-case arguments.
I revisited options.c to refine its brute-force upcasing behavior. Now, the upcasing is done only if the option argument is all lowercase. Mixed-case arguments and those with the "ext:" prefix are left unchanged. This preserves the original intent of the "helpful" upcasing feature for backwards compatibility while limiting its scope in a straightforward way. Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53B1BDD8.8020705@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc')
-rw-r--r--doc/openvpn.844
1 files changed, 38 insertions, 6 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 76b7bfd..6d4f3cf 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4790,12 +4790,44 @@ the tls-verify script returns. The file name used for the certificate
is available via the peer_cert environment variable.
.\"*********************************************************
.TP
-.B \-\-x509-username-field fieldname
-Field in x509 certificate subject to be used as username (default=CN).
-.B Fieldname
-will be uppercased before matching. When this option is used, the
-.B \-\-verify-x509-username
-option will match against the chosen fieldname instead of the CN.
+.B \-\-x509-username-field [ext:\]fieldname
+Field in the X.509 certificate subject to be used as the username (default=CN).
+Typically, this option is specified with
+.B fieldname
+as either of the following:
+
+.B \-\-x509-username-field
+emailAddress
+.br
+.B \-\-x509-username-field ext:\fRsubjectAltName
+
+The first example uses the value of the "emailAddress" attribute in the
+certificate's Subject field as the username. The second example uses
+the
+.B ext:
+prefix to signify that the X.509 extension
+.B fieldname
+"subjectAltName" be searched for an rfc822Name (email) field to be used
+as the username. In cases where there are multiple email addresses
+in
+.B ext:fieldname\fR,
+the last occurrence is chosen.
+
+When this option is used, the
+.B \-\-verify-x509-name
+option will match against the chosen
+.B fieldname
+instead of the Common Name.
+
+.B Please note:
+This option has a feature which will convert an all-lowercase
+.B fieldname
+to uppercase characters, e.g., ou -> OU. A mixed-case
+.B fieldname
+or one having the
+.B ext:
+prefix will be left as-is. This automatic upcasing feature
+is deprecated and will be removed in a future release.
.\"*********************************************************
.TP
.B \-\-tls-remote name (DEPRECATED)