[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] having an email address as CN and using CCD

  • Subject: Re: [Openvpn-users] having an email address as CN and using CCD
  • From: Paul Voccio <paul.voccio@xxxxxxxxx>
  • Date: Tue, 12 Jul 2005 13:44:23 -0400
James,


Beautiful. Converting the ccd filename to an '_' instead of the '@' works perfectly.

I agree that the cn should have the same character class. I'll probably install the patch anyways to keep things clean, but to solve this issue immediately I'll do the first workaround.

Thanks again,

Paul


James Yonan wrote: 
On Tue, 12 Jul 2005, Paul Voccio wrote:


All,

I have almost all of my clients using certificates with their cn=firstname.lastname@xxxxxxxxxxx This works well in managing the certificates as well as using the openvpn management console. However, I now wish use the ccd option to push some static addresses to some users. I played with it for a bit and was not able to get it working with a certificate with an '@' symbol in the CN but was able to get it working with a certificate without the @.

Has anybody seen/known about this before? If so, is there a workaround that doesn't involve me regenerating certificates for everyone? I poked around the list archives but didn't find anything related. 


This is a string remapping issue as described here:

http://openvpn.net/man.html#lbAR

The problem is that in OpenVPN 2.0, the '@' character is allowed in a common name but not in a --client-config-dir file. This seems wrong -- both should allow the same character class.

Here are a couple workarounds:

(1) Right now, OpenVPN will be converting the '@' to '_' before it tries
to open the --client-config-dir filename.  So if

  cn=firstname.lastname@xxxxxxxxxx

then the client-config-dir file which OpenVPN would try to open is

  firstname.lastname_domain.com

(2) I'm attaching a trivial patch against 2.0 which will add '@' to the
--client-config-dir filename character class. This only needs to be applied to the server.

Medium term, I expect this patch to be in 2.0.1.

Longer term I would like to see a directive which gives fine-grained control over which character classes are allowed for which string types.

James


------------------------------------------------------------------------

--- misc.c~ 2005-04-10 21:43:57.000000000 -0600
+++ misc.c 2005-07-12 11:10:47.064978352 -0600
@@ -1026,7 +1026,7 @@
const char *
gen_path (const char *directory, const char *filename, struct gc_arena *gc)
{
- const char *safe_filename = string_mod_const (filename, CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT, 0, '_', gc);
+ const char *safe_filename = string_mod_const (filename, CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT, 0, '_', gc);
if (safe_filename
&& strcmp (safe_filename, ".")


Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-07/msg00096.html on line 229

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-07/msg00096.html on line 229