** Description changed: If a certificate has a policy, strongswan rejects it unless every certificate up the chain has the same policy. For certificates issued by CAs today, this is not a valid assumption. This assumption results in my Ubuntu laptop being unable to connect to my workplace VPN (which is actually also Ubuntu strongswan, but that's irrelevant). The attached patch from upstream git fixes the problem by changing the validation behavior. From the upstream commit message: -- Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore. -- This patch applies exactly from upstream to strongswan in Vivid. It can be trivially backported to Precise (which I've done and tested). I did - not test any versions in the middle. + not specifically test it on any versions in the middle.
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1448870 Title: Certificate policies cause rejections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1448870/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs