Bug #4794
closed
Handling of ASN1.DN values for RSA IPsec during upgrades from previous versions
100%
Description
The certificate CNs are interpreted differently by raccoon and strongSwan, for example:
raccoon:
C=US, ST=Whatever, L=Springfield, O=Springfield Power Plant/emailAddress=burns@powerplant.com, CN=springfield.powerplant.com
strongSwan:
"C=US, ST=Whatever, L=Springfield, O=Springfield Power Plant, E=burns@powerplant.com, CN=springfield.powerplant.com"
So on upgrades from v2.1.x and before, some regex needs to be done on the ASN1DN field.
Also, the value needs to be surrounded in quotes, but be careful because if the identity prefix is provided, the prefix must be included within the quotes, eg: rightid = "asn1dn:#whateverhexvalue..."
This will depend on how the identity type prefixes are handled (related to bug 4792 )
Updated by Tobias Brunner about 9 years ago
As I've recently explained on an Ubuntu bug report related to pfSense just adding identity type prefixes is not correct and will most likely not result in the intended result.
Updated by
Updated by Chris Buechler about 9 years ago
- Status changed from New to Confirmed
Should be fine to s/\/emailAddress/, E/ on asn1dn when doing config upgrade from 2.1.5
Updated by Renato Botelho about 9 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset e4b7410b9bc3622cee6797588a7d5a685d4d759e.
Updated by Renato Botelho about 9 years ago
Applied in changeset faaab0885d68e6422885e1c3d56985992e909474.