[Bug 1448870] Re: Certificate policies cause rejections
Richard Laager
rlaager at wiktel.com
Mon Apr 27 06:52:15 UTC 2015
** Description changed:
If a certificate has a policy, strongswan rejects it unless every
certificate up the chain has the same policy. For certificates issued by
CAs today, this is not a valid assumption. This assumption results in my
Ubuntu laptop being unable to connect to my workplace VPN (which is
actually also Ubuntu strongswan, but that's irrelevant).
The attached patch from upstream git fixes the problem by changing the
validation behavior. From the upstream commit message:
--
Instead of rejecting the certificate completely if a certificate has a
policy OID that is actually not allowed by the issuer CA, we accept it.
However, the certificate policy itself is still considered invalid, and
is not returned in the auth config resulting from trust chain
operations.
A user must make sure to rely on the returned auth config certificate
policies instead of the policies contained in the certificate; even if
the certificate is valid, the policy OID itself in the certificate are
not to be trusted anymore.
--
This patch applies exactly from upstream to strongswan in Vivid. It can
be trivially backported to Precise (which I've done and tested). I did
- not test any versions in the middle.
+ not specifically test it on any versions in the middle.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1448870
Title:
Certificate policies cause rejections
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1448870/+subscriptions
More information about the Ubuntu-server-bugs
mailing list