Project

General

Profile

Bug #4792

IPSec ASN.1 DN needs double quotes in config file

Added by Cullen Trey over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
High
Category:
IPsec
Target version:
Start date:
01/24/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.3
Affected Architecture:

Description

This is a bug #4275 reintroduced in 2.2.3:

Upon upgrade of 2.2.2 to 2.2.3 strongswan did not start and quit with the following message:

I ONLY adapted these lines of the old bug:

ipsec_starter73005: unable to start strongSwan -- fatal errors in config
ipsec_starter73005: invalid config file '/var/etc/ipsec/ipsec.conf'
ipsec_starter73005: /var/etc/ipsec/ipsec.conf:19: syntax error, unexpected EQ [=]
ipsec_starter73005: Starting strongSwan 5.2.3 IPsec [starter]...

Line 19 of ipsec.conf is:
leftid = asn1dn:C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com

I got StrongSwan only to accept it by changing leftif|rightid to (ommiting asn1dn)

leftid = "C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com"

this started to work again, and strongswan bootet up.

This should be checked in the GUI and automatically added to the value saved in the config file.

As the ipsec.conf is generated by the vpn.inc I adapted it the following way. Sorry for having no diff etc... Spot it by the comment line!

list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');

if ($myid_type = 'asn1dn')
$myid_data = "\"{$myid_data}\"";
else
if ($myid_type != 'address')
$myid_data = "{$myid_type}:{$myid_data}";

/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel /
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
*if ($peerid_type = 'asn1dn')
$peerid_spec = "\"{$peerid_data}\"";
else
if ($peerid_type != 'address')
$peerid_spec = "{$peerid_type}:{$peerid_data}";
else
$peerid_spec = $peerid_data;
}

Kind regards

Associated revisions

Revision 31ae45d2 (diff)
Added by Renato Botelho over 4 years ago

Add leftid and rightid value between double quotes on ipsec config when type is asn1dn. Ticket #4792

Revision d5dd538d (diff)
Added by Renato Botelho over 4 years ago

Add leftid and rightid value between double quotes on ipsec config when type is asn1dn. Ticket #4792

Revision 896b8510 (diff)
Added by Renato Botelho over 4 years ago

Fixes for IPSec ASN1.DN, ticket #4792

- Do not add leftid to confir when value is empty
- When asn1dn param is in binary form, explicit type
- Always add double quotes for asn1dn

Revision d9d237af (diff)
Added by Renato Botelho over 4 years ago

Fixes for IPSec ASN1.DN, ticket #4792

- Do not add leftid to confir when value is empty
- When asn1dn param is in binary form, explicit type
- Always add double quotes for asn1dn

History

#1 Updated by Cullen Trey over 4 years ago

Okay, understood why it is not possible to specify:

leftid = asn1dn:C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com

Strongswan wants to have asn1dn entries encoded in the binary der format:

https://lists.strongswan.org/pipermail/users/2015-May/008123.html

Ideas for an String to der format converter? Or just throw away the asn1dn identifier...?

#2 Updated by Kill Bill over 4 years ago

Cullen Trey wrote:

Or just throw away the asn1dn identifier...?

Sounds like a plan. Completely craptastic design. DER my ass.

#3 Updated by Jorge Albarenque over 4 years ago

I stumbled upon this today.

If you omit the identity prefix altogether, strongSwan will guess and convert the data type automatically (it works).
If you want to specify the identity prefix, the data must be in appropiate format. In case of ASN1.DNs, the conversion procedure is somewhat explained on a later post on the same thread referenced before and the following one

I did all that "openssl to hex nightmare" and it indeed works.

Please consider that this issue will also arise with other identity prefixes as well (IP addresses for example) as explained in the strongSwan wiki

#4 Updated by Moritz Bechler over 4 years ago

Actually, I think this is a bug in strongswan (just filed it: https://wiki.strongswan.org/issues/1028), as the asn1dn type gets parsed if auto-detected but not when explicitly specified. Just dropping it should be also fine though, as this is the first case in the auto-detection and just checks for a =.

#5 Updated by Kill Bill over 4 years ago

Moritz Bechler wrote:

Actually, I think this is a bug in strongswan

Of course not! That's all by (utterly braindead) design. :-P

#6 Updated by Jim Thompson over 4 years ago

  • Assignee set to Renato Botelho

#7 Updated by Chris Buechler over 4 years ago

  • Status changed from New to Feedback

this looks to be fixed.

#8 Updated by Jorge Albarenque over 4 years ago

Hold on... The real issue here (as explained in the first comment) is the mishandling of the peer id type for the new versions of strongSwan. As I can see on the submitted revision, this looks still broken at least for the ASN1 type reported here (it still adds "{$peerid_type}:" before the unmodified data)

Is this being handled as part of another bug report?

#9 Updated by Renato Botelho over 4 years ago

  • Status changed from Feedback to Assigned

The issue doesn't affect left side because leftid is overwritten by strongSwan when leftcert is defined.

I'm working on a fix

#10 Updated by Renato Botelho over 4 years ago

  • Status changed from Assigned to Feedback

Please try next round of snapshots

#11 Updated by Moritz Bechler over 4 years ago

31ae45d2535e73f58b307f18227ba29a9061d2af looks good to me.

keyid might deserve some quotes, too, but that's propably not that common.

#12 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF