Document x509-username-fields oid usage

When built against OpenSSL, the parameters of the x509-username-fields option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0] which accepts "long names and short names [...] as well as numerical forms." Because of this, you can for example use `x509-username-field 2.5.4.41` to make OpenVPN read the `name` field [1]. x509-username-fields is currently not implemented for mbed TLS, so that can be ignored. [0] https://docs.openssl.org/1.1.1/man3/OBJ_nid2obj/ [1] https://oidref.com/2.5.4.41 Signed-off-by: Corubba Smith <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg30916.html Signed-off-by: Gert Doering <[email protected]>
OpenVPN · Feb 20, 2025 · 680ad84 · 680ad84
1 parent 4599c92
commit 680ad84
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
@@ -744,11 +744,13 @@ If the option is inlined, ``algo`` is always :code:`SHA256`.
   ::
 
      x509-username-field emailAddress
+     x509-username-field 1.2.840.113549.1.9.1
      x509-username-field ext:subjectAltName
      x509-username-field CN serialNumber
 
-  The first example uses the value of the :code:`emailAddress` attribute
-  in the certificate's Subject field as the username. The second example
+  The first two examples use the value of the :code:`emailAddress` attribute
+  in the certificate's Subject field as the username, where the first example
+  uses the name while the second example uses the oid. The third example
   uses the :code:`ext:` prefix to signify that the X.509 extension
   ``fieldname`` :code:`subjectAltName` be searched for an rfc822Name
   (email) field to be used as the username. In cases where there are