3 # verify-cn -- a sample OpenVPN tls-verify script
5 # Return 0 if cn matches the common name component of
6 # X509_NAME_oneline, 1 otherwise.
8 # For example in OpenVPN, you could use the directive:
10 # tls-verify "./verify-cn Test-Client"
12 # This would cause the connection to be dropped unless
13 # the client common name is "Test-Client"
15 die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
17 # Parse out arguments:
18 # cn -- The common name which the client is required to have,
19 # taken from the argument to the tls-verify directive
20 # in the OpenVPN config file.
21 # depth -- The current certificate chain depth. In a typical
22 # bi-level chain, the root certificate will be at level
23 # 1 and the client certificate will be at level 0.
24 # This script will be called separately for each level.
25 # x509 -- the X509 subject string as extracted by OpenVPN from
26 # the client's provided certificate.
27 ($cn, $depth, $x509) = @ARGV;
30 # If depth is zero, we know that this is the final
31 # certificate in the chain (i.e. the client certificate),
32 # and the one we are interested in examining.
33 # If so, parse out the common name substring in
34 # the X509 subject string.
36 if ($x509 =~ /\/CN
=([^\
/]+)/) {
37 # Accept the connection if the X509 common name
38 # string matches the passed cn argument.
44 # Authentication failed -- Either we could not parse
45 # the X509 subject string, or the common name in the
46 # subject string didn't match the passed cn argument.
50 # If depth is nonzero, tell OpenVPN to continue processing
51 # the certificate chain.