Project

General

Profile

Actions
Copy link

Regression #13373

closed

IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard

Added by Andrew Stuart almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
amd64

Description

The patch used in https://redmine.pfsense.org/issues/11297 causes any certificate with a wildcard SAN from being used.

Could this be changed to detect if there are other SANs available in the certificate? Or can this be changed from an error to a warning?

This is preventing me from using a certificate that has a wildcard SAN, along with multiple other SANS which are used for VPNs. This worked perfectly in previous versions.

Related issues

Related to Bug #14831: IPsec rejects certificate without any SANsResolvedJim Pingle

Actions
Actions
Copy link
 #1

Updated by Danilo Zrenjanin almost 2 years ago

Hello Andrew -

SAN certificate without wildcard entries should work with no issues.

Please check https://wiki.strongswan.org/issues/794#note-3

Strongswan doesn't support wildcards in certificates.

Actions
Copy link
 #2

Updated by Jim Pingle almost 2 years ago

  • Tracker changed from Bug to Regression
  • Subject changed from #11297 prevents alternate SANs from working if a wildcard SAN is detected to IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
  • Target version set to 2.7.0
  • Plus Target Version set to 22.11

That should be possible to address. Considering that the other SANs do work, We probably should not fail a certificate unless all of the SANs are wildcard.

The user does need some kind of indication that the IPsec daemon will ignore wildcard SANs, though, and the GUI doesn't mention anything about that in the P1 auth config when using certs.

Actions
Copy link
 #3

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions
Copy link
 #4

Updated by Jim Pingle over 1 year ago

  • Assignee set to Jim Pingle
Actions
Copy link
 #5

Updated by Jim Pingle over 1 year ago

  • Status changed from New to In Progress
Actions
Copy link
 #6

Updated by Jim Pingle over 1 year ago

I re-confirmed that using a cert with one non-wildcard SAN and multiple wildcard SANs does work properly in strongSwan.

I changed the input validation such that it only rejects when every SAN is wildcard, and updated the field text to mention wildcard SANs as well. Commit coming momentarily.

Actions
Copy link
 #7

Updated by Jim Pingle over 1 year ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #8

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

A cert with both a wildcard and non-wildcard SAN works on current snapshots.

Actions
Copy link
 #9

Updated by Jim Pingle 7 months ago

  • Related to Bug #14831: IPsec rejects certificate without any SANs added
Actions
Copy link

Also available in: Atom PDF