Your message dated Sat, 27 Jul 2019 18:25:41 +0000
with message-id <[email protected]>
and subject line Bug#932144: Removed package(s) from unstable
has caused the Debian Bug report #507839,
regarding racoon asn1dn string encoding issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
507839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507839
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: racoon
Version: 0.7.1-1.2
This is half a bug and half a suggestion for enhancement. At the very least
I want to write up a summary of my thoughts about the issue.
According to RFC 2459 and successors (the latest is RFC 5280), we should
all be using UTF8 or Printable strings in certificates, to the exclusion
of T61 and BMP. This is the PKIX recommendation for certificates issued
from 2004 onwards, and I'm following it.
OpenSSL still doesn't default to this behaviour, but it offers a pair of
functions, ASN1_STRING_set_default_mask(unsigned long mask) and
ASN1_STRING_set_default_mask_asc(char *p), to control this aspect.
As of today, racoon does not call these functions; therefore its
eay_str2asn1dn() uses Printable, T61 and BMP string encodings.
An undocumented (i.e., one has to read the source code to find out
about it) workaround exists: if in the configuration file the value
of an asn1dn literal is a ~ followed by the hexadecimal representation
of an ASN.1-encoded DN, this will bypass eay_str2asn1dn(). This works
well but is not very user-friendly.
=> to do: describe this feature in the racoon.conf(5) man page.
Now for the enhancement suggestion:
A more pleasant solution than the use of hexadecimal notation would be
to allow the string encoding rule to be spelled out in racoon.conf.
This should be done on a per-DN basis, although the ability to change
the global default may also be of some use.
Syntactically, this could be achieved with a qualifier (see the syntax
for the "my_identifier" keyword; currently only the "keyid" identifier
type can have qualifiers) and a straightforward extension of function
set_identifier_qual().
--- End Message ---
--- Begin Message ---
Version: 1:0.8.2+20140711-12+rm
Dear submitter,
as the package ipsec-tools has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/932144
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
