Project

General

Profile

Actions

Bug #7929

closed

IPSec CA certificate name corrupt if multiple RDNs of the same type are in subject name

Added by Daniel Sands over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Certificates
Target version:
Start date:
10/12/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.4_1
Affected Architecture:
All

Description

When the CA certificate subject is converted to OSF style, but multiple RDN components of the same type are in the subject, the subject will be written out as something like:

/DC=Array/CN=MyCert/

This causes the IPSec server to dismiss the CA and fail to authenticate the client certificate.

The DC components might be DC=example,DC=com, in this case. In /etc/inc/vpn.inc, there is a foreach that adds the components one-by-one into this string. The loop needs to check whether the current component is an array or a value, and act appropriately for each case.

My quick and dirty local fix went as such:

                        if (!empty($ph1ent['caref'])) {
                                $ca = lookup_ca($ph1ent['caref']);
                                if ($ca) {
                                        $casubarr = cert_get_subject_array($ca['crt']);
                                        $casub = "";
                                        foreach ($casubarr as $casubfield) {
                                                if (empty($casub)) {
                                                        $casub = "/";
                                                }
                                                if (is_array($casubfield['v'])) {
                                                        foreach ($casubfield['v'] as $casubfieldcomp) {
                                                                $casub .= "{$casubfield['a']}={$casubfieldcomp}/";
                                                        }
                                                }
                                                else
                                                {
                                                        $casub .= "{$casubfield['a']}={$casubfield['v']}/";
                                                }
                                        }
                                }
                        }
Actions

Also available in: Atom PDF