Actions
Bug #7929
closed
IPSec CA certificate name corrupt if multiple RDNs of the same type are in subject name
Start date:
10/12/2017
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.4_1
Affected Architecture:
All
Description
When the CA certificate subject is converted to OSF style, but multiple RDN components of the same type are in the subject, the subject will be written out as something like:
/DC=Array/CN=MyCert/
This causes the IPSec server to dismiss the CA and fail to authenticate the client certificate.
The DC components might be DC=example,DC=com, in this case. In /etc/inc/vpn.inc, there is a foreach that adds the components one-by-one into this string. The loop needs to check whether the current component is an array or a value, and act appropriately for each case.
My quick and dirty local fix went as such:
if (!empty($ph1ent['caref'])) {
$ca = lookup_ca($ph1ent['caref']);
if ($ca) {
$casubarr = cert_get_subject_array($ca['crt']);
$casub = "";
foreach ($casubarr as $casubfield) {
if (empty($casub)) {
$casub = "/";
}
if (is_array($casubfield['v'])) {
foreach ($casubfield['v'] as $casubfieldcomp) {
$casub .= "{$casubfield['a']}={$casubfieldcomp}/";
}
}
else
{
$casub .= "{$casubfield['a']}={$casubfield['v']}/";
}
}
}
}
Updated by 
Updated by Constantine Kormashev
Actions