@@ -3288,6 +3288,20 @@ For a sample script that performs PAM authentication, see

 in the OpenVPN source distribution.

 .\"*********************************************************

 .TP

+.B --opt-verify

+Clients that connect with options that are incompatible

+with those of the server will be disconnected.

+

+Options that will be compared for compatibility include

+dev-type, link-mtu, tun-mtu, proto, tun-ipv6, ifconfig,

+comp-lzo, fragment, keydir, cipher, auth, keysize, secret,

+no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client.

+

+This option requires that

+.B --disable-occ

+NOT be used.

+.\"*********************************************************

+.TP

 .B --auth-user-pass-optional

 Allow connections by clients that do not specify a username/password.

 Normally, when

@@ -384,6 +384,8 @@ static const char usage_message[] =

   "                  run script cmd to verify.  If method='via-env', pass\n"

   "                  user/pass via environment, if method='via-file', pass\n"

   "                  user/pass via temporary file.\n"

+  "--opt-verify    : Clients that connect with options that are incompatible\n"

+  "                  with those of the server will be disconnected.\n"

   "--auth-user-pass-optional : Allow connections by clients that don't\n"

   "                  specify a username/password.\n"

   "--no-name-remapping : Allow Common Name and X509 Subject to include\n"

@@ -1758,6 +1760,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

 	msg (M_USAGE, "--username-as-common-name requires --mode server");

       if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)

 	msg (M_USAGE, "--auth-user-pass-optional requires --mode server");

+      if (options->ssl_flags & SSLF_OPT_VERIFY)

+	msg (M_USAGE, "--opt-verify requires --mode server");

       if (options->auth_user_pass_verify_script)

 	msg (M_USAGE, "--auth-user-pass-verify requires --mode server");

 #if PORT_SHARE

@@ -4625,6 +4629,11 @@ add_option (struct options *options,

       VERIFY_PERMISSION (OPT_P_GENERAL);

       options->ssl_flags |= SSLF_NO_NAME_REMAPPING;

     }

+  else if (streq (p[0], "opt-verify"))

+    {

+      VERIFY_PERMISSION (OPT_P_GENERAL);

+      options->ssl_flags |= SSLF_OPT_VERIFY;

+    }

   else if (streq (p[0], "auth-user-pass-verify") && p[1])

     {

       VERIFY_PERMISSION (OPT_P_SCRIPT);

@@ -3465,6 +3465,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi

       !options_cmp_equal (options, session->opt->remote_options))

     {

       options_warning (options, session->opt->remote_options);

+      if (session->opt->ssl_flags & SSLF_OPT_VERIFY)

+	{

+	  msg (D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");

+	  ks->authenticated = false;

+	}

     }

 #endif

@@ -469,6 +469,7 @@ struct tls_options

 # define SSLF_USERNAME_AS_COMMON_NAME  (1<<1)

 # define SSLF_AUTH_USER_PASS_OPTIONAL  (1<<2)

 # define SSLF_NO_NAME_REMAPPING        (1<<3)

+# define SSLF_OPT_VERIFY               (1<<4)

   unsigned int ssl_flags;

 #ifdef MANAGEMENT_DEF_AUTH