GNOME Bugzilla – Bug 675439
network manager's method of validating a tls cert is too inflexible
Last modified: 2017-01-19 18:34:29 UTC
I am connecting to a load balancer which hands me off to one back-end server which is in a pool of lots of servers. NetworkManager requires me to specify something like this: /C=blah/ST=blah/L=blah/O=blah/CN=host1.example.net/emailAddress=root@example.net I'd like to be able to specify one of these instead: /C=blah/ST=blah/L=blah/O=blah /emailAddress=root@example.net /C=blah/ST=blah/L=blah/O=blah/CN=host.*.example.net/emailAddress=root@example.net /C=blah/ST=blah/L=blah/O=blah/CN=host[0-9].example.net/emailAddress=root@example.net in other words perform a partial match or regex match, instead of doing a simple string comparison. Without this feature, I have two options: 1. Change the TLS config option to another server and try again 2. Keep trying to reconnect 3. Disable MITM protection entirely (!) Thanks.
nm-openvpn plugin just wraps the openvpn binary. openvpn supports an option --verify-x509-name name type which should allow you what you want. nm-openvpn (at least in recent version) also supports this option: https://git.gnome.org/browse/network-manager-openvpn/commit/?h=763548d00a0472577ebb35083939fa3039ff17de Closing this as duplicate of bug 770922 *** This bug has been marked as a duplicate of bug 770922 ***