verify-x509-name with name-prefix mode does full subject match instead of prefix match

[raisOr1337]

Version: OpenVPN 2.6.14 (deb13u1)
OS: Debian Trixie (raspberry pi OS)

Expected behavior:
This option in the server.conf
verify-x509-name "C=A, ST=B, L=C, O=D, OU=E" name-prefix
should match any certificate whose subject STARTS with this string.

The intention is that the server only accepts certificates with certain values in certain fields that are the same across all client-certificates.
Since CN and emailAddress are different in the client certs, I need to match only the fields that are identical.

Actual behavior:
Full subject match is performed. Certificates with additional fields (CN, emailAddress) are rejected.

Log output:
VERIFY X509NAME ERROR: C=A, ST=B, L=C, O=D, OU=E, CN=F, emailAddress=G,
must be C=A, ST=B, L=C, O=D, OU=E

Increasing verb to 6 showed that the server is using this:
verify_x509_type = 3 (expected: 2 for name-prefix?)

Steps to reproduce:

1. Create CA with EASYRSA_DN "org"
2. Issue server/client certs with O, OU, CN, email fields
3. Set verify-x509-name with name-prefix on server
4. Connect with client -> VERIFY X509NAME ERROR

[selvanair]

The name-prefix match is against the common-name not the whole subject. See the description in the man page:

--verify-x509-name args

Accept connections only if a host's X.509 name is equal to name. 
The remote host must also pass all other tests of verifica‐tion.

   Valid syntax:

   verify-x509 name type

   Which X.509 name is compared to name depends on the setting of type.  
type can be subject to match the complete  subject  DN (default),  name  
to match a subject RDN or name-prefix to match a subject RDN prefix.
Which RDN is verified as name depends on the --x509-username-field
option. But it defaults to the common name (CN), e.g. a certificate with a
subject DN

   C=KG, ST=NA, L=Bishkek, CN=Server-1

   would be matched by:

   verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
   verify-x509-name Server-1 name
   verify-x509-name Server- name-prefix

verify_x509_type = 3 is correct, but the error message is a bit misleading as it prints the whole subject followed by the match string even whenit is trying to match the common-name.

[selvanair]

The name-prefix match is against the common-name not the whole subject. See the description in the man page:

--verify-x509-name args

Accept connections only if a host's X.509 name is equal to name. 
The remote host must also pass all other tests of verifica‐tion.

   Valid syntax:

   verify-x509 name type

   Which X.509 name is compared to name depends on the setting of type.  
type can be subject to match the complete  subject  DN (default),  name  
to match a subject RDN or name-prefix to match a subject RDN prefix.
Which RDN is verified as name depends on the --x509-username-field
option. But it defaults to the common name (CN), e.g. a certificate with a
subject DN

   C=KG, ST=NA, L=Bishkek, CN=Server-1

   would be matched by:

   verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
   verify-x509-name Server-1 name
   verify-x509-name Server- name-prefix

verify_x509_type = 3 is correct, but the error message is a bit misleading as it prints the whole subject followed by the match string even whenit is trying to match the common-name.