make --tls-remote compatible with pre 2.3 configs

In openvpn 2.3.0 the semantics of the --tls-remote option changed.
That broke more configurations than anticipated. To not break
configurations that use --tls-remote with a legacy OpenSSL style DN
anymore, it is now detected when such a DN is configured. When
necessary the --compat-names option is then automatically enabled.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1361526263-1740-3-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7366
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ad532bba896875e56488e69ec16212a77787c57b)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index dd38bc97ac9f80eb81e4bf2759b7d1cd9645a2be..7fda76f5fbb0bf0b5a36613b602600ce9956e96a 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6528,6 +6528,12 @@ add_option (struct options *options,
   else if (streq (p[0], "tls-remote") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
+      /*
+       * Enable legacy openvpn format for DNs that have not been converted
+       * yet and X.509 common names (not containing an '=' or ', ')
+       */
+      if (p[1][0] == '/' || !strchr (p[1], '=') || !strstr (p[1], ", "))
+        compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
       options->tls_remote = p[1];
     }
   else if (streq (p[0], "ns-cert-type") && p[1])