VPN: OpenVPN: Instances - support case insensitive strictusercn matching for instances, closes https://github.com/opnsense/core/pull/7862

2026-03-17 01:54:49 +00:00 · 2024-10-11 19:49:26 +02:00 · 2024-10-11 19:49:26 +02:00 · c345e01de2
commit c345e01de2
parent a3b6d90291
3 changed files with 17 additions and 9 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
@ -271,8 +271,8 @@
    <field>
        <id>instance.strictusercn</id>
        <label>Strict User/CN Matching</label>
-        <type>checkbox</type>
-        <style>role role_server</style>
+        <type>dropdown</type>
+        <style>selectpicker role role_server</style>
        <help>When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login.</help>
    </field>
    <field>
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
@ -293,9 +293,14 @@
                    <Default>0</Default>
                    <Required>Y</Required>
                </username_as_common_name>
-                <strictusercn type="BooleanField">
-                    <Default>0</Default>
+                <strictusercn type="OptionField">
                    <Required>Y</Required>
+                    <Default>0</Default>
+                    <OptionValues>
+                        <o0 value="0">No</o0>
+                        <o1 value="1">Yes</o1>
+                        <o2 value="2">Yes (case insensitive)</o2>
+                    </OptionValues>
                </strictusercn>
                <username type="TextField"/>
                <password type="TextField"/>
--- a/src/opnsense/scripts/openvpn/user_pass_verify.php
+++ b/src/opnsense/scripts/openvpn/user_pass_verify.php
@ -96,11 +96,14 @@ function do_auth($common_name, $serverid, $method, $auth_file)
    if ($a_server == null) {
        return "OpenVPN '$serverid' was not found. Denying authentication for user {$username}";
    } elseif (!empty($a_server['strictusercn']) && $username != $common_name) {
-        return sprintf(
-            "Username does not match certificate common name (%s != %s), access denied.",
-            $username,
-            $common_name
-        );
+        // only ignore case when explicitly set (strictusercn=2)
+        if (!($a_server['strictusercn'] == 2 && strtolower($username) == strtolower($common_name))) {
+            return sprintf(
+                "Username does not match certificate common name (%s != %s), access denied.",
+                $username,
+                $common_name
+            );
+        }
    } elseif (empty($a_server['authmode'])) {
        return 'No authentication server has been selected to authenticate against. ' .
        "Denying authentication for user {$username}";