Regression #13373: IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Regression #13373

closed

IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard

Added by Andrew Stuart almost 2 years ago. Updated over 1 year ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

IPsec

Target version:

2.7.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

23.01

Release Notes:

Default

Affected Version:

2.5.2

Affected Architecture:

amd64

Description

The patch used in https://redmine.pfsense.org/issues/11297 causes any certificate with a wildcard SAN from being used.

Could this be changed to detect if there are other SANs available in the certificate? Or can this be changed from an error to a warning?

This is preventing me from using a certificate that has a wildcard SAN, along with multiple other SANS which are used for VPNs. This worked perfectly in previous versions.

Related issues

Related to Bug #14831: IPsec rejects certificate without any SANs

Resolved

Jim Pingle

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Danilo Zrenjanin almost 2 years ago

Hello Andrew -

SAN certificate without wildcard entries should work with no issues.

Please check https://wiki.strongswan.org/issues/794#note-3

Strongswan doesn't support wildcards in certificates.

Actions

Copy link

Updated by Jim Pingle almost 2 years ago

Tracker changed from Bug to Regression
Subject changed from #11297 prevents alternate SANs from working if a wildcard SAN is detected to IPsec rejects certificates if any SAN is wildcard rather than rejecting when **all** SANs are wildcard
Target version set to 2.7.0
Plus Target Version set to 22.11

That should be possible to address. Considering that the other SANs do work, We probably should not fail a certificate unless all of the SANs are wildcard.

The user does need some kind of indication that the IPsec daemon will ignore wildcard SANs, though, and the GUI doesn't mention anything about that in the P1 auth config when using certs.

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Plus Target Version changed from 22.11 to 23.01

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Assignee set to Jim Pingle

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Status changed from New to In Progress

Actions

Copy link

Updated by Jim Pingle over 1 year ago

I re-confirmed that using a cert with one non-wildcard SAN and multiple wildcard SANs does work properly in strongSwan.

I changed the input validation such that it only rejects when every SAN is wildcard, and updated the field text to mention wildcard SANs as well. Commit coming momentarily.

Actions

Copy link