OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-09 21:51:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

documentation: improve documentation of --x509-track

Browse Source 
In the current state it was completely unclear to me how you
would use this. Extended the description based on reading the
code and experimentation.

Change-Id: Ibf728f9d624e64ecda094d66fa562bd3916829d2
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231213143324.226443-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Frank Lichtenheld 2023-12-13 15:33:24 +01:00 committed by Gert Doering
parent 3e30504d86
commit 139607286c
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/man-sections/script-options.rst
View File

@ -916,6 +916,9 @@ instances.
verification level is 0 for the client certificate and 1 for the CA verification level is 0 for the client certificate and 1 for the CA
certificate. certificate.
You can use the ``--x509-track`` option to export more or less information
from the certificates.
:: ::
X509_0_emailAddress=me@myhost.mydomain X509_0_emailAddress=me@myhost.mydomain

23
doc/man-sections/tls-options.rst
View File

@ -695,10 +695,29 @@ If the option is inlined, ``algo`` is always :code:`SHA256`.
--x509-track attribute --x509-track attribute
Save peer X509 **attribute** value in environment for use by plugins and Save peer X509 **attribute** value in environment for use by plugins and
management interface. Prepend a :code:`+` to ``attribute`` to save values management interface. Prepend a :code:`+` to ``attribute`` to save values
from full cert chain. Values will be encoded as from full cert chain. Otherwise the attribute will only be exported for
:code:`X509_<depth>_<attribute>=<value>`. Multiple ``--x509-track`` the leaf cert (i.e. depth :code:`0` of the cert chain). Values will be
encoded as :code:`X509_<depth>_<attribute>=<value>`. Multiple ``--x509-track``
options can be defined to track multiple attributes. options can be defined to track multiple attributes.
``attribute`` can be any part of the X509 Subject field or any X509v3
extension (RFC 3280). X509v3 extensions might not be supported when
not using the default TLS backend library (OpenSSL). You can also
request the ``SHA1`` and ``SHA256`` fingerprints of the cert,
but that is always exported as :code:`tls_digest_{n}` and
:code:`tls_digest_sha256_{n}` anyway.
Note that by default **all** parts of the X509 Subject field are exported in
the environment for the whole cert chain. If you use ``--x509-track`` at least
once **only** the attributes specified by these options are exported.
Examples::
x509-track CN # exports only X509_0_CN
x509-track +CN # exports X509_{n}_CN for chain
x509-track basicConstraints # exports value of "X509v3 Basic Constraints"
x509-track SHA256 # exports SHA256 fingerprint
--x509-username-field args --x509-username-field args
Fields in the X.509 certificate subject to be used as the username Fields in the X.509 certificate subject to be used as the username
(default :code:`CN`). If multiple fields are specified their values (default :code:`CN`). If multiple fields are specified their values