Bug#569553: marked as done (strongswan: Certificates CNs containing email address OIDs are not correctly parsed)

Mon, 16 Aug 2010 05:45:28 -0700 

Your message dated Mon, 16 Aug 2010 14:34:05 +0200
with message-id <[email protected]>
and subject line Bugs were fixes in unreleased package version 4.3.6-1
has caused the Debian Bug report #569553,
regarding strongswan: Certificates CNs containing email address OIDs are not 
correctly parsed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
569553: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569553
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: strongswan
Version: 4.3.2-1.2
Severity: normal
Tags: patch

Upstream introduced a bug in version 4.3.x which breaks parsing of certificate 
common names if these contain email address OIDs (C=DE, O=org, [email protected]). 
If incoming connection requests use certificates which contain CNs with such an 
OID strongswan is unable to choose the correct connection definition from 
ipsec.conf and fails with 'no matching peer config found'.

This is fixed with upstream commit c8b543a6fc28bc335212ec69d39cc57f5b0e4095.
http://wiki.strongswan.org/repositories/revision/strongswan/c8b543a6fc28bc335212ec69d39cc57f5b0e4095

This broke our setup which was working fine with lenny (4.2.4-5+lenny3) when we 
upgraded strongswan to a backported squeeze version (4.3.2-1.2).

-- System Information:
Debian Release: 5.0.4
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages strongswan depends on:
ii  strongswan-ikev1              4.3.2-1.2  strongSwan Internet Key Exchange (
ii  strongswan-ikev2              4.3.2-1.2  strongSwan Internet Key Exchange (

strongswan recommends no packages.

Versions of packages strongswan suggests:
pn  network-manager-strongswan    <none>     (no description available)

-- debconf information:
  strongswan/x509_self_signed: true
  strongswan/x509_state_name:
* strongswan/start_level: earliest
  strongswan/x509_organizational_unit:
  strongswan/ikev2: true
  strongswan/x509_email_address:
* strongswan/enable-oe: false
  strongswan/x509_locality_name:
  strongswan/x509_country_code: AT
  strongswan/ikev1: true
  strongswan/x509_organization_name:
  strongswan/existing_x509_key_filename:
  strongswan/rsa_key_type: x509
* strongswan/create_rsa_key: false
  strongswan/existing_x509_certificate: false
* strongswan/restart: true
  strongswan/x509_common_name:
  strongswan/rsa_key_length: 2048
  strongswan/existing_x509_certificate_filename:

commit c8b543a6fc28bc335212ec69d39cc57f5b0e4095
Author: Andreas Steffen <[email protected]>
Date:   Tue Aug 18 17:52:00 2009 +0200

    fixed wrong emailAddress OID introduced by revision c31687da

diff --git a/src/libstrongswan/utils/identification.c 
b/src/libstrongswan/utils/identification.c
index 10daf46..7c3b19c 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -85,9 +85,9 @@ static const x501rdn_t x501rdns[] = {
        {"ID",                          OID_UNIQUE_IDENTIFIER,          
ASN1_PRINTABLESTRING},
        {"EN",                          OID_EMPLOYEE_NUMBER,            
ASN1_PRINTABLESTRING},
        {"employeeNumber",      OID_EMPLOYEE_NUMBER,            
ASN1_PRINTABLESTRING},
-       {"E",                           OID_EMAIL_ADDRESS,                      
ASN1_IA5STRING},
-       {"Email",                       OID_EMAIL_ADDRESS,                      
ASN1_IA5STRING},
-       {"emailAddress",        OID_EMAIL_ADDRESS,                      
ASN1_IA5STRING},
+       {"E",                           OID_PKCS9_EMAIL,                        
ASN1_IA5STRING},
+       {"Email",                       OID_PKCS9_EMAIL,                        
ASN1_IA5STRING},
+       {"emailAddress",        OID_PKCS9_EMAIL,                        
ASN1_IA5STRING},
        {"UN",                          OID_UNSTRUCTURED_NAME,          
ASN1_IA5STRING},
        {"unstructuredName",OID_UNSTRUCTURED_NAME,              ASN1_IA5STRING},
        {"TCGID",                       OID_TCGID,                              
        ASN1_PRINTABLESTRING}

--- End Message ---
--- Begin Message --- 
strongswan (4.3.6-1) unstable; urgency=low

  * UNRELEASED

  * New upstream release, now build-depends on gperf.
    Closes: #577855: New upstream release 4.3.6
    Closes: #569553: strongswan: Certificates CNs containing email address 
                     OIDs are not correctly parsed
    Closes: #557635: strongswan charon does not rekey forever
    Closes: #569299: Please update configure check to use new nm-glib 
                     pkgconfig file name
  * Switch to dpkg-source 3.0 (quilt) format
  * Synchronize debconf handling with current openswan 2.6.25 package to keep
    X509 certificate handling etc. similar. Thanks to Harald Jenny for 
    implementing these changes in openswan, which I just converted to 
    strongswan.
  * Now also build a strongswan-dbg package to ship debugging symbols.
  * Include attr plugin in strongswan-ikev2 package. Thanks to Christoph Lukas
    for pointing out that this was missing.
    Closes: #569550: strongswan: Please include attr plugin

 -- Rene Mayrhofer <[email protected]>  Tue, 23 Feb 2010 10:39:21 +0000

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---

Reply via email to