Public bug reported:
If a certificate has a policy, strongswan rejects it unless every
certificate up the chain has the same policy. For certificates issued by
CAs today, this is not a valid assumption. This assumption results in my
Ubuntu laptop being unable to connect to my workplace VPN (which is
actually also Ubuntu strongswan, but that's irrelevant).
The attached patch from upstream git fixes the problem by changing the
validation behavior. From the upstream commit message:
--
Instead of rejecting the certificate completely if a certificate has a
policy OID that is actually not allowed by the issuer CA, we accept it.
However, the certificate policy itself is still considered invalid, and
is not returned in the auth config resulting from trust chain
operations.
A user must make sure to rely on the returned auth config certificate
policies instead of the policies contained in the certificate; even if
the certificate is valid, the policy OID itself in the certificate are
not to be trusted anymore.
--
This patch applies exactly from upstream to strongswan in Vivid. It can
be trivially backported to Precise (which I've done and tested). I did
not test any versions in the middle.
** Affects: strongswan (Ubuntu)
Importance: Undecided
Status: New
** Attachment added:
"0001-constraints-Don-t-reject-certificates-with-invalid-c.patch"
https://bugs.launchpad.net/bugs/1448870/+attachment/4385292/+files/0001-constraints-Don-t-reject-certificates-with-invalid-c.patch
** Description changed:
If a certificate has a policy, strongswan rejects it unless every
certificate up the chain has the same policy. For certificates issued by
CAs today, this is not a valid assumption. This assumption results in my
Ubuntu laptop being unable to connect to my workplace VPN (which is
actually also Ubuntu strongswan, but that's irrelevant).
- The attached patch from upstream git fixes the problem by changing the
validation behavior. From the upstream commit:
- Instead of rejecting the certificate completely if a certificate has a policy
- OID that is actually not allowed by the issuer CA, we accept it. However, the
- certificate policy itself is still considered invalid, and is not returned
- in the auth config resulting from trust chain operations.
-
- A user must make sure to rely on the returned auth config certificate
policies
- instead of the policies contained in the certificate; even if the certificate
- is valid, the policy OID itself in the certificate are not to be trusted
- anymore.
+ The attached patch from upstream git fixes the problem by changing the
+ validation behavior. From the upstream commit message:
+
+ Instead of rejecting the certificate completely if a certificate has a
+ policy OID that is actually not allowed by the issuer CA, we accept it.
+ However, the certificate policy itself is still considered invalid, and
+ is not returned in the auth config resulting from trust chain
+ operations.
+
+ A user must make sure to rely on the returned auth config certificate
+ policies instead of the policies contained in the certificate; even if
+ the certificate is valid, the policy OID itself in the certificate are
+ not to be trusted anymore.
** Description changed:
If a certificate has a policy, strongswan rejects it unless every
certificate up the chain has the same policy. For certificates issued by
CAs today, this is not a valid assumption. This assumption results in my
Ubuntu laptop being unable to connect to my workplace VPN (which is
actually also Ubuntu strongswan, but that's irrelevant).
The attached patch from upstream git fixes the problem by changing the
validation behavior. From the upstream commit message:
+
+ --
Instead of rejecting the certificate completely if a certificate has a
policy OID that is actually not allowed by the issuer CA, we accept it.
However, the certificate policy itself is still considered invalid, and
is not returned in the auth config resulting from trust chain
operations.
A user must make sure to rely on the returned auth config certificate
policies instead of the policies contained in the certificate; even if
the certificate is valid, the policy OID itself in the certificate are
not to be trusted anymore.
+
+ --
+
+ This patch applies exactly from upstream to strongswan in Vivid. It can
+ be trivially backported to Precise (which I've done and tested). I did
+ not test any versions in the middle.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1448870
Title:
Certificate policies cause rejections
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1448870/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
