On Sat, Apr 19, 2025 at 03:28:59PM +0000, Klemens Nanni wrote:
> Very useful if you need to distinguish usernames for clients with multiple
> certificates and/or want to verify more than just CN without having to call
> a --tls-verify script or full-fledged module for that:
> 
>      --x509-username-field args
>             Fields in the X.509 certificate subject to be used as the username
>             (default CN). If multiple fields are specified their values will
>             be concatenated into the one username using _ symbol as a
>             separator.
>      [...]
>             When this option is used, the --verify-x509-name option will match
>             against the chosen fieldname instead of the Common Name.
> 
> Works great in my setup; I have not tested mbedtls.

Wrong time to omit a test build, it fails at configure time:

  configure: error: mbed TLS does not support the --x509-username-field feature

I verified that the default behavior still works using the CN of the
subject.

> OK?

ok for the diff below.


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.133 Makefile
--- Makefile	3 Apr 2025 11:49:31 -0000	1.133
+++ Makefile	21 Apr 2025 17:14:19 -0000
@@ -1,6 +1,7 @@
 COMMENT=	easy-to-use, robust, and highly configurable VPN
 
 DISTNAME=	openvpn-2.6.14
+REVISION=	0
 
 CATEGORIES=	net security
 
@@ -39,7 +40,8 @@ WANTLIB += mbedcrypto mbedtls mbedx509 p
 # ensure 'pkcs11-providers .../p11-kit-proxy.so' as default
 BUILD_DEPENDS+=	security/p11-kit
 LIB_DEPENDS+=	security/pkcs11-helper
-CONFIGURE_ARGS+= --enable-pkcs11
+CONFIGURE_ARGS+= --enable-pkcs11 \
+		--enable-x509-alt-username
 WANTLIB += crypto pkcs11-helper ssl
 .endif
 

-- 
jca