IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
The patch used in https://redmine.pfsense.org/issues/11297 causes any certificate with a wildcard SAN from being used.
Could this be changed to detect if there are other SANs available in the certificate? Or can this be changed from an error to a warning?
This is preventing me from using a certificate that has a wildcard SAN, along with multiple other SANS which are used for VPNs. This worked perfectly in previous versions.
Updated by Jim Pingle 2 months ago
- Tracker changed from Bug to Regression
- Subject changed from #11297 prevents alternate SANs from working if a wildcard SAN is detected to IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
- Target version set to 2.7.0
- Plus Target Version set to 22.11
That should be possible to address. Considering that the other SANs do work, We probably should not fail a certificate unless all of the SANs are wildcard.
The user does need some kind of indication that the IPsec daemon will ignore wildcard SANs, though, and the GUI doesn't mention anything about that in the P1 auth config when using certs.