Bug #7929
closed
IPSec CA certificate name corrupt if multiple RDNs of the same type are in subject name
100%
Description
When the CA certificate subject is converted to OSF style, but multiple RDN components of the same type are in the subject, the subject will be written out as something like:
/DC=Array/CN=MyCert/
This causes the IPSec server to dismiss the CA and fail to authenticate the client certificate.
The DC components might be DC=example,DC=com, in this case. In /etc/inc/vpn.inc, there is a foreach that adds the components one-by-one into this string. The loop needs to check whether the current component is an array or a value, and act appropriately for each case.
My quick and dirty local fix went as such:
if (!empty($ph1ent['caref'])) {
$ca = lookup_ca($ph1ent['caref']);
if ($ca) {
$casubarr = cert_get_subject_array($ca['crt']);
$casub = "";
foreach ($casubarr as $casubfield) {
if (empty($casub)) {
$casub = "/";
}
if (is_array($casubfield['v'])) {
foreach ($casubfield['v'] as $casubfieldcomp) {
$casub .= "{$casubfield['a']}={$casubfieldcomp}/";
}
}
else
{
$casub .= "{$casubfield['a']}={$casubfield['v']}/";
}
}
}
}
Updated by Jim Pingle about 7 years ago
- Category set to Certificates
- Assignee set to Jim Pingle
- Target version set to 2.4.2
Updated by Jim Pingle about 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 7e37da2e9db8dd153e3b8ef2844beb9a9fe24a56.
Updated by Constantine Kormashev about 7 years ago
2.4.2 17-11-04 could not reproduce the issue
rightca for latest /DC=jimp/DC=pw/
rightca for 2.4.1 /DC=Array/
Auths works fine
Updated by Jim Pingle about 7 years ago
- Status changed from Feedback to Resolved