diff options
Diffstat (limited to 'doc/openvpn.8')
-rw-r--r-- | doc/openvpn.8 | 117 |
1 files changed, 97 insertions, 20 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2ed5201..d590714 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -346,20 +346,27 @@ block: .B connect-retry, .B connect-retry-max, .B connect-timeout, +.B explicit-exit-notify, .B float, +.B fragment, .B http-proxy, .B http-proxy-option, .B http-proxy-retry, .B http-proxy-timeout, +.B link-mtu, .B local, .B lport, +.B mssfix, +.B mtu-disc, .B nobind, .B port, .B proto, .B remote, .B rport, -.B socks-proxy, and -.B socks-proxy-retry. +.B socks-proxy, +.B socks-proxy-retry, +.B tun-mtu and +.B tun-mtu-extra. A defaulting mechanism exists for specifying options to apply to all @@ -3424,7 +3431,7 @@ the authenticated username as the common name, rather than the common name from the client cert. .\"********************************************************* .TP -.B \-\-compat\-names [no\-remapping] +.B \-\-compat\-names [no\-remapping] (DEPRECATED) Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: .IP @@ -3455,25 +3462,42 @@ characters in the usernames, X.509 Subject fields and Common Name variables and it complies to the RFC 2253, UTF\-8 String Representation of Distinguished Names. -As a backwards compatibility for the removed \-\-no\-name\-remapping feature in -older OpenVPN versions, the +The .B no\-remapping mode flag can be used with the .B \-\-compat\-names -option. -When this mode flag is used, the Common Name, Subject, and username strings are -allowed to include any printable character including space, but excluding -control characters such as tab, newline, and carriage-return. It ensures -compatibility with the -.B \-\-no\-name\-remapping -option of OpenVPN versions before v2.3. +option to be compatible with the now deprecated \-\-no\-name\-remapping option. +It is only available at the server. When this mode flag is used, the Common Name, +Subject, and username strings are allowed to include any printable character +including space, but excluding control characters such as tab, newline, and +carriage-return. no-remapping is only available on the server side. .B Please note: -This option will not be around for a long time. It is only implemented +This option is immediately deprecated. It is only implemented to make the transition to the new formatting less intrusive. It will be -removed either in OpenVPN v2.4 or v2.5. So please make sure you start -the process to support the new formatting as soon as possible. +removed either in OpenVPN v2.4 or v2.5. So please make sure you use the +.B \-\-verify-x509-name +option instead of +.B \-\-tls-remote +as soon as possible and update your scripts where necessary. +.\"********************************************************* +.TP +.B \-\-no\-name\-remapping (DEPRECATED) +The +.B \-\-no\-name\-remapping +option is an alias for +.B \-\-compat\-names\ no\-remapping. +It ensures compatibility with server configurations using the +.B \-\-no\-name\-remapping +option. + +.B Please note: +This option is now deprecated. It will be removed either in OpenVPN v2.4 +or v2.5. So please make sure you support the new X.509 name formatting +described with the +.B \-\-compat\-names +option as soon as possible. .\"********************************************************* .TP .B \-\-port-share host port [dir] @@ -4650,11 +4674,11 @@ is available via the peer_cert environment variable. Field in x509 certificate subject to be used as username (default=CN). .B Fieldname will be uppercased before matching. When this option is used, the ---tls-remote option will match against the chosen fieldname instead -of the CN. +.B \-\-verify-x509-username +option will match against the chosen fieldname instead of the CN. .\"********************************************************* .TP -.B \-\-tls-remote name +.B \-\-tls-remote name (DEPRECATED) Accept connections only from a host with X509 name or common name equal to .B name. @@ -4686,6 +4710,59 @@ option to verify the remote host, because works in a .B \-\-chroot environment too. + +.B Please also note: +This option is now deprecated. It will be removed either in OpenVPN v2.4 +or v2.5. So please make sure you support the new X.509 name formatting +described with the +.B \-\-compat-names +option as soon as possible by updating your configurations to use +.B \-\-verify-x509-name +instead. +.\"********************************************************* +.TP +.B \-\-verify-x509-name name type +Accept connections only if a host's X.509 name is equal to +.B name. +The remote host must also pass all other tests of verification. + +Which X.509 name is compared to +.B name +depends on the setting of type. +.B type +can be "subject" to match the complete subject DN (default), +"name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. +Which RDN is verified as name depends on the +.B \-\-x509-username-field +option. But it defaults to the common name (CN), e.g. a certificate with a +subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by: + +.B \-\-verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' +and +.B \-\-verify-x509-name Server-1 name +or you could use +.B \-\-verify-x509-name Server- name-prefix +if you want a client to only accept connections to "Server-1", "Server-2", etc. + +.B \-\-verify-x509-name +is a useful replacement for the +.B \-\-tls-verify +option to verify the remote host, because +.B \-\-verify-x509-name +works in a +.B \-\-chroot +environment without any dependencies. + +Using a name prefix is a useful alternative to managing +a CRL (Certificate Revocation List) on the client, since it allows the client +to refuse all certificates except for those associated +with designated servers. + +.B NOTE: +Test against a name prefix only when you are using OpenVPN with +a custom CA certificate that is under your control. +Never use this option with type "name-prefix" when your client certificates +are signed by a third party, such as a commercial web CA. .\"********************************************************* .TP .B \-\-x509-track attribute @@ -4723,7 +4800,7 @@ a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of -.B \-\-ns-cert-type, \-\-tls-remote, +.B \-\-ns-cert-type, \-\-verify-x509-name, or .B \-\-tls-verify. .\"********************************************************* @@ -4781,7 +4858,7 @@ a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of -.B \-\-remote-cert-tls, \-\-tls-remote, +.B \-\-remote-cert-tls, \-\-verify-x509-name, or .B \-\-tls-verify. .\"********************************************************* |