Project

General

Profile

Actions

Regression #13373

open

IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard

Added by Andrew Stuart 2 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.11
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
amd64

Description

The patch used in https://redmine.pfsense.org/issues/11297 causes any certificate with a wildcard SAN from being used.

Could this be changed to detect if there are other SANs available in the certificate? Or can this be changed from an error to a warning?

This is preventing me from using a certificate that has a wildcard SAN, along with multiple other SANS which are used for VPNs. This worked perfectly in previous versions.

Actions #1

Updated by Danilo Zrenjanin 2 months ago

Hello Andrew -

SAN certificate without wildcard entries should work with no issues.

Please check https://wiki.strongswan.org/issues/794#note-3

Strongswan doesn't support wildcards in certificates.

Actions #2

Updated by Jim Pingle 2 months ago

  • Tracker changed from Bug to Regression
  • Subject changed from #11297 prevents alternate SANs from working if a wildcard SAN is detected to IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
  • Target version set to 2.7.0
  • Plus Target Version set to 22.11

That should be possible to address. Considering that the other SANs do work, We probably should not fail a certificate unless all of the SANs are wildcard.

The user does need some kind of indication that the IPsec daemon will ignore wildcard SANs, though, and the GUI doesn't mention anything about that in the P1 auth config when using certs.

Actions

Also available in: Atom PDF