Project

General

Profile

Actions

Bug #7929

closed

IPSec CA certificate name corrupt if multiple RDNs of the same type are in subject name

Added by Daniel Sands almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Certificates
Target version:
Start date:
10/12/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.4_1
Affected Architecture:
All

Description

When the CA certificate subject is converted to OSF style, but multiple RDN components of the same type are in the subject, the subject will be written out as something like:

/DC=Array/CN=MyCert/

This causes the IPSec server to dismiss the CA and fail to authenticate the client certificate.

The DC components might be DC=example,DC=com, in this case. In /etc/inc/vpn.inc, there is a foreach that adds the components one-by-one into this string. The loop needs to check whether the current component is an array or a value, and act appropriately for each case.

My quick and dirty local fix went as such:

                        if (!empty($ph1ent['caref'])) {
                                $ca = lookup_ca($ph1ent['caref']);
                                if ($ca) {
                                        $casubarr = cert_get_subject_array($ca['crt']);
                                        $casub = "";
                                        foreach ($casubarr as $casubfield) {
                                                if (empty($casub)) {
                                                        $casub = "/";
                                                }
                                                if (is_array($casubfield['v'])) {
                                                        foreach ($casubfield['v'] as $casubfieldcomp) {
                                                                $casub .= "{$casubfield['a']}={$casubfieldcomp}/";
                                                        }
                                                }
                                                else
                                                {
                                                        $casub .= "{$casubfield['a']}={$casubfield['v']}/";
                                                }
                                        }
                                }
                        }
Actions #1

Updated by Jim Pingle almost 4 years ago

  • Category set to Certificates
  • Assignee set to Jim Pingle
  • Target version set to 2.4.2
Actions #2

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Constantine Kormashev almost 4 years ago

2.4.2 17-11-04 could not reproduce the issue
rightca for latest /DC=jimp/DC=pw/
rightca for 2.4.1 /DC=Array/
Auths works fine

Actions #4

Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF