[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] having an email address as CN and using CCD

  • Subject: Re: [Openvpn-users] having an email address as CN and using CCD
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Tue, 12 Jul 2005 11:25:17 -0600 (MDT)
On Tue, 12 Jul 2005, Paul Voccio wrote:

> All,
> 
> I have almost all of my clients using certificates with their 
> cn=firstname.lastname@xxxxxxxxxxx This works well in managing the 
> certificates as well as using the openvpn management console. However, I 
> now wish use the ccd option to push some static addresses to some users. 
>   I played with it for a bit and was not able to get it working with a 
> certificate with an '@' symbol in the CN but was able to get it working 
> with a certificate without the @.
> 
> Has anybody seen/known about this before? If so, is there a workaround 
> that doesn't involve me regenerating certificates for everyone? I poked 
> around the list archives but didn't find anything related.

This is a string remapping issue as described here:

http://openvpn.net/man.html#lbAR

The problem is that in OpenVPN 2.0, the '@' character is allowed in a 
common name but not in a --client-config-dir file.  This seems wrong -- 
both should allow the same character class.

Here are a couple workarounds:

(1) Right now, OpenVPN will be converting the '@' to '_' before it tries
to open the --client-config-dir filename.  So if

  cn=firstname.lastname@xxxxxxxxxx

then the client-config-dir file which OpenVPN would try to open is

  firstname.lastname_domain.com

(2) I'm attaching a trivial patch against 2.0 which will add '@' to the
--client-config-dir filename character class.  This only needs to be 
applied to the server.

Medium term, I expect this patch to be in 2.0.1.

Longer term I would like to see a directive which gives fine-grained 
control over which character classes are allowed for which string types.

James

--- misc.c~	2005-04-10 21:43:57.000000000 -0600
+++ misc.c	2005-07-12 11:10:47.064978352 -0600
@@ -1026,7 +1026,7 @@
 const char *
 gen_path (const char *directory, const char *filename, struct gc_arena *gc)
 {
-  const char *safe_filename = string_mod_const (filename, CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT, 0, '_', gc);
+  const char *safe_filename = string_mod_const (filename, CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT, 0, '_', gc);
 
   if (safe_filename
       && strcmp (safe_filename, ".")

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-07/msg00095.html on line 224

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-07/msg00095.html on line 224