Bug #10873
closedAlgo VPN's IPSec appears to have added name constraints on their CA cert and pfsense can't handle it
0%
Description
This PR in algo IPS VPN configurator broke its compatibility with pfsense in its default configuration:
https://github.com/trailofbits/algo/pull/1675
More details on the issue here:
https://github.com/davidemyers/algo-pfsense/issues/2
I'm not entirely sure, but it appears there needs to be a tweak in the pfsense ipsec configuration in order to handle a CA cert with name constraints.
Updated by Jim Pingle over 3 years ago
- Status changed from New to Rejected
Reading over all that, I fail to see anything actionable on pfSense for it. Someone in the thread mentions trying to match the new setting and it didn't change anything so I'm not sure what anyone expects a change on pfSense to look like. That repo is an unsupported/unofficial add-on that we aren't going to go out of our way to accommodate.
If someone can make a specific proposal of a change in pfSense that makes logical sense and would also solve that problem, perhaps we can consider it, but without specific details of proposed changes and the logic behind them stated here, without making devs dig through comments on unrelated remote repositories, it isn't going anywhere.