Project

General

Profile

Actions

Regression #13373

closed

IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard

Added by Andrew Stuart over 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
amd64

Description

The patch used in https://redmine.pfsense.org/issues/11297 causes any certificate with a wildcard SAN from being used.

Could this be changed to detect if there are other SANs available in the certificate? Or can this be changed from an error to a warning?

This is preventing me from using a certificate that has a wildcard SAN, along with multiple other SANS which are used for VPNs. This worked perfectly in previous versions.


Related issues

Related to Bug #14831: IPsec rejects certificate without any SANsResolvedJim Pingle

Actions
Actions #1

Updated by Danilo Zrenjanin over 2 years ago

Hello Andrew -

SAN certificate without wildcard entries should work with no issues.

Please check https://wiki.strongswan.org/issues/794#note-3

Strongswan doesn't support wildcards in certificates.

Actions #2

Updated by Jim Pingle over 2 years ago

  • Tracker changed from Bug to Regression
  • Subject changed from #11297 prevents alternate SANs from working if a wildcard SAN is detected to IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
  • Target version set to 2.7.0
  • Plus Target Version set to 22.11

That should be possible to address. Considering that the other SANs do work, We probably should not fail a certificate unless all of the SANs are wildcard.

The user does need some kind of indication that the IPsec daemon will ignore wildcard SANs, though, and the GUI doesn't mention anything about that in the P1 auth config when using certs.

Actions #3

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #4

Updated by Jim Pingle about 2 years ago

  • Assignee set to Jim Pingle
Actions #5

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to In Progress
Actions #6

Updated by Jim Pingle almost 2 years ago

I re-confirmed that using a cert with one non-wildcard SAN and multiple wildcard SANs does work properly in strongSwan.

I changed the input validation such that it only rejects when every SAN is wildcard, and updated the field text to mention wildcard SANs as well. Commit coming momentarily.

Actions #7

Updated by Jim Pingle almost 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

A cert with both a wildcard and non-wildcard SAN works on current snapshots.

Actions #9

Updated by Jim Pingle about 1 year ago

  • Related to Bug #14831: IPsec rejects certificate without any SANs added
Actions

Also available in: Atom PDF