Bug 1443942 - enable the x509-username-field option
Summary: enable the x509-username-field option
Alias: None
Product: Fedora
Classification: Fedora
Component: openvpn
Version: 25
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: David Sommerseth
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-04-20 10:06 UTC by Hristo Venev
Modified: 2017-05-14 20:21 UTC (History)
4 users (show)

Fixed In Version: openvpn-2.4.2-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-05-14 20:21:08 UTC

Attachments (Terms of Use)

Description Hristo Venev 2017-04-20 10:06:03 UTC
Description of problem:
openvpn fails to start if the x509-username-field is specified.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Add the x509-username-field option to the OpenVPN config file.
2. Attempt to start OpenVPN.

Actual results:
OpenVPN fails to start.

Expected results:
OpenVPN starts successfully.

Additional info:
./configure --enable-x509-alt-username

Comment 1 Hristo Venev 2017-04-20 10:11:47 UTC
Sorry, the version is 2.4.1.

Comment 2 David Sommerseth 2017-04-20 10:49:04 UTC
Sorry about removing that feature in the packaging clean-up.  On the other hand, I now know there are at least one user of this feature.

Could you please test a scratch build and see how that works for you?

* x86_64 build:

* armv7hl build

* i686 build

Just pick the build which matches best your environment.

This fix will be in the pipe for the next OpenVPN build, unless there are more users needing this fix in the mean time.

Comment 3 Hristo Venev 2017-04-20 12:37:49 UTC
The option seems to be enabled in your build. I also managed to port this to Fedora 26 and fixed an OpenVPN bug with numeric OIDs. I'll try to upstream the patches.

Here's a SRPM: https://copr-be.cloud.fedoraproject.org/results/hvenev/experiments/fedora-26-x86_64/00541892-openvpn/openvpn-2.4.1-3.1.fc26.src.rpm

Comment 4 David Sommerseth 2017-04-20 12:50:42 UTC
Thanks a lot!  I've just given your src.rpm a very quick look, but spotted you seem to have done some OpenSSL 1.1 porting as well.

There is an upstream effort already on-going doing the OpenSSL v1.1 port.  You can see the patches here: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14075.html

If you have any chance to test, review and comment on those still not applied to the upstream OpenVPN, we'd be thankful for that help.  Get in touch with me directly on e-mail and I'll get you the needed pointers to reply properly.

For 0002-Fix-extract_x509_field_ssl-for-external-objects.patch, this looks reasonable to get upstream as well.  But I'd encourage you to elaborate a bit more in the commit message what is wrong and why, plus some brief explanation of why you chose this approach - especially if there are more alternatives.  With that in place + a signed-off-by line, then that patch looks reasonable and shouldn't have too much struggles for inclusion - as long as it doesn't break existing configurations (which I don't think your patch will do).

Comment 5 Fedora Update System 2017-05-11 20:24:00 UTC
openvpn-2.4.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-89d98779ec

Comment 6 Fedora Update System 2017-05-13 01:12:25 UTC
openvpn-2.4.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-89d98779ec

Comment 7 Fedora Update System 2017-05-14 20:21:08 UTC
openvpn-2.4.2-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.