Regression #13373
closedIPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
100%
Description
The patch used in https://redmine.pfsense.org/issues/11297 causes any certificate with a wildcard SAN from being used.
Could this be changed to detect if there are other SANs available in the certificate? Or can this be changed from an error to a warning?
This is preventing me from using a certificate that has a wildcard SAN, along with multiple other SANS which are used for VPNs. This worked perfectly in previous versions.
Related issues
Updated by Danilo Zrenjanin over 2 years ago
Hello Andrew -
SAN certificate without wildcard entries should work with no issues.
Please check https://wiki.strongswan.org/issues/794#note-3
Strongswan doesn't support wildcards in certificates.
Updated by Jim Pingle over 2 years ago
- Tracker changed from Bug to Regression
- Subject changed from #11297 prevents alternate SANs from working if a wildcard SAN is detected to IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
- Target version set to 2.7.0
- Plus Target Version set to 22.11
That should be possible to address. Considering that the other SANs do work, We probably should not fail a certificate unless all of the SANs are wildcard.
The user does need some kind of indication that the IPsec daemon will ignore wildcard SANs, though, and the GUI doesn't mention anything about that in the P1 auth config when using certs.
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle about 2 years ago
I re-confirmed that using a cert with one non-wildcard SAN and multiple wildcard SANs does work properly in strongSwan.
I changed the input validation such that it only rejects when every SAN is wildcard, and updated the field text to mention wildcard SANs as well. Commit coming momentarily.
Updated by Jim Pingle about 2 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset fa3236635876914ab330778545ec8dd7cefe7a80.
Updated by Jim Pingle about 2 years ago
- Status changed from Feedback to Resolved
A cert with both a wildcard and non-wildcard SAN works on current snapshots.
Updated by Jim Pingle about 1 year ago
- Related to Bug #14831: IPsec rejects certificate without any SANs added