New commits:
commit f38b488fbbd6a1263ecd928349f48f4428fdebfa
Author: Paul Wouters <pwout...@redhat.com>
Date: Tue Sep 10 20:48:14 2019 -0400
documentation: updated CHANGES
commit 30173d016e9ddc442eff1009f5943e0eb3c5320b
Author: Paul Wouters <pwout...@redhat.com>
Date: Tue Sep 10 20:44:23 2019 -0400
testing: added ikev2-x509-05-san-firstemail-match-respponder to TESTLIST
commit 2ee4cb953f9f39bcdbcf47c61430d2a0b800081b
Author: Paul Wouters <pwout...@redhat.com>
Date: Tue Sep 10 20:43:44 2019 -0400
testing: updated SAN/ID tests, added
ikev2-x509-05-san-firstemail-match-responder
commit 91a67319ba0bc0aba1ee01c1a4c7b2fe54b21060
Author: Paul Wouters <pwout...@redhat.com>
Date: Tue Sep 10 20:39:15 2019 -0400
x509: Use match_dn_any_order_wild() instead of same_dn_any_order() for SAN
checks
same_dn_any_order() would see specified local wildcard ID's as different
from
a peer ID that would match the wildcard.
This required changing match_dn_any_order_wild() from static to public.
commit 80d68d57a57c7984cd2e2029519cc2765daab912
Author: Paul Wouters <pwout...@redhat.com>
Date: Tue Sep 10 20:34:20 2019 -0400
pluto: new option require-id-on-certificate=yes|no
When using X.509 certificates, this option can be used to accept
certificates
that violate the rules of RFC 4945 Section 3.1 by not having their IKE ID
listed as a subjectAltName (SAN) on their certificate. The default (yes)
is to not accept these certificates as it enables an attack where a
compromised
host can use its valid certificate and some other hosts' peer ID to pretend
to be that other host.
This commit also fixes decode_peer_id_counted() called via decode_peer_id()
that would mistakenly skip the peer ID check on the responder, resulting in
IKE peer ID's not specified on the certificate to be accepted on responders.
_______________________________________________
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
