1 files changed, 46 insertions, 11 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 786719d..39b128f 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1606,7 +1606,7 @@ and
 in server mode configurations.
 
 The server timeout is set twice the value of the second argument.
-This ensures that a timeout is dectected on client side
+This ensures that a timeout is detected on client side
 before the server side drops the connection.
 
 For example,
@@ -2459,7 +2459,7 @@ Normally, adaptive compression is enabled with
 .B \-\-comp-lzo.
 
 Adaptive compression tries to optimize the case where you have
-compression enabled, but you are sending predominantly uncompressible
+compression enabled, but you are sending predominantly incompressible
 (or pre-compressed) packets over the tunnel, such as an FTP or rsync transfer
 of a large, compressed file.  With adaptive compression,
 OpenVPN will periodically sample the compression process to measure its
@@ -2660,7 +2660,7 @@ on sufficiently fast hardware.  SSL/TLS authentication must
 be used in this mode.
 .\"*********************************************************
 .TP
-.B \-\-server network netmask
+.B \-\-server network netmask ['nopool']
 A helper directive designed to simplify the configuration
 of OpenVPN's server mode.  This directive will set up an
 OpenVPN server which will allocate addresses to clients
@@ -2695,6 +2695,9 @@ expands as follows:
    if !nopool:
      ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
    push "route-gateway 10.8.0.1"
+   if route-gateway unset:
+     route-gateway 10.8.0.2
+
 .in -4
 .ft
 .fi
@@ -3498,7 +3501,7 @@ like this:
 .B
 /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com
 .IP
-In addition the old behavivour was to remap any character other than
+In addition the old behaviour was to remap any character other than
 alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to
 underscore ('_').  The X.509 Subject string as returned by the
 .B tls_id
@@ -4354,7 +4357,7 @@ A different mode can be specified for each provider.
 Mode is encoded as hex number, and can be a mask one of the following:
 
 .B 0
-(default) \-\- Try to determind automatically.
+(default) \-\- Try to determine automatically.
 .br
 .B 1
 \-\- Use sign.
@@ -4745,12 +4748,44 @@ the tls-verify script returns.  The file name used for the certificate
 is available via the peer_cert environment variable.
 .\"*********************************************************
 .TP
-.B \-\-x509-username-field fieldname
-Field in x509 certificate subject to be used as username (default=CN).
-.B Fieldname
-will be uppercased before matching. When this option is used, the
-.B \-\-verify-x509-username
-option will match against the chosen fieldname instead of the CN.
+.B \-\-x509-username-field [ext:\]fieldname
+Field in the X.509 certificate subject to be used as the username (default=CN).
+Typically, this option is specified with
+.B fieldname
+as either of the following:
+
+.B \-\-x509-username-field
+emailAddress
+.br
+.B \-\-x509-username-field ext:\fRsubjectAltName
+
+The first example uses the value of the "emailAddress" attribute in the
+certificate's Subject field as the username.  The second example uses
+the
+.B ext:
+prefix to signify that the X.509 extension
+.B fieldname
+"subjectAltName" be searched for an rfc822Name (email) field to be used
+as the username.  In cases where there are multiple email addresses
+in
+.B ext:fieldname\fR,
+the last occurrence is chosen.
+
+When this option is used, the
+.B \-\-verify-x509-name
+option will match against the chosen
+.B fieldname
+instead of the Common Name.
+
+.B Please note:
+This option has a feature which will convert an all-lowercase
+.B fieldname
+to uppercase characters, e.g., ou -> OU.  A mixed-case
+.B fieldname
+or one having the
+.B ext:
+prefix will be left as-is.  This automatic upcasing feature
+is deprecated and will be removed in a future release.
 .\"*********************************************************
 .TP
 .B \-\-tls-remote name (DEPRECATED)