Bug 1007184 - Request to enable the "--enable-x509-alt-username" compile-time option
Request to enable the "--enable-x509-alt-username" compile-time option
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: openvpn (Show other bugs)
el6
All All
unspecified Severity medium
: ---
: ---
Assigned To: Steven Pritchard
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-12 01:11 EDT by Andris Kalnozols
Modified: 2013-09-30 14:47 EDT (History)
3 users (show)

See Also:
Fixed In Version: openvpn-2.3.2-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-16 20:24:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andris Kalnozols 2013-09-12 01:11:03 EDT
Description of problem: OpenVPN compile-time feature request

Version-Release number of selected component (if applicable): 2.3.2


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

HP issues X.509 certificates to employees called "DigitalBadges"
which are signed by an HP internal CA.  As an example, the subject
of an HP cert is similar to the following:

> Subject: O=Hewlett-Packard, OU=Employee,
> CN=John Doe/emailAddr=john.doe@hp.com

Up to now, we have been authenticating using the CN field.
However, this field is not guaranteed to be unique within
HP's Enterprise Directory, e.g., there are six people with
"John Smith" and four with "Eric Wu".  The "emailAddr"
field is unique across HP, however.

I noticed that openvpn version 2.3 came out with a new option
called "--x509-username-field" that must be explicitly enabled
at compile time using the "--enable-x509-alt-username" option.
Currently, the EPEL6 openvpn package does not have this feature
enabled.  Could you please consider enabling it?  This would
help security by preventing authentication sharing among people
with the same Common Name attribute.

The Debian openvpn package has the same issue.  I communicated
with its maintainer, Alberto Gonzalez Iniesta, and he agreed
that the "--x509-username-field" option will be available in
the Debian binary packages as soon as the upstream developers
sign off on a small patch related to this feature.  It would be
great for users of Redhat/Fedora to also have access to this
feature.  Thanks.
Comment 1 Fedora Update System 2013-09-12 10:38:41 EDT
openvpn-2.3.2-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/openvpn-2.3.2-4.fc19
Comment 2 Fedora Update System 2013-09-12 10:38:54 EDT
openvpn-2.3.2-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/openvpn-2.3.2-2.el6
Comment 3 Fedora Update System 2013-09-12 10:39:03 EDT
openvpn-2.3.2-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/openvpn-2.3.2-4.fc20
Comment 4 Fedora Update System 2013-09-12 10:39:15 EDT
openvpn-2.3.2-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/openvpn-2.3.2-2.el5
Comment 5 Fedora Update System 2013-09-12 10:39:24 EDT
openvpn-2.3.2-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openvpn-2.3.2-4.fc18
Comment 6 Fedora Update System 2013-09-12 12:26:40 EDT
Package openvpn-2.3.2-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openvpn-2.3.2-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16513/openvpn-2.3.2-4.fc20
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-09-16 20:24:24 EDT
openvpn-2.3.2-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-09-21 04:38:27 EDT
openvpn-2.3.2-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-09-22 20:11:03 EDT
openvpn-2.3.2-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-09-30 14:46:35 EDT
openvpn-2.3.2-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-09-30 14:47:00 EDT
openvpn-2.3.2-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.