Hello While upgrading from Libreswan 3.15 to 3.21 we found the tunnels using certificate authentication ceased to work. The problem appears to stem from this commit: https://github.com/libreswan/libreswan/commit/6806420bfec59c8fa6e44d0a95a52d6878c10a6e
We have reverted this commit in our tree for the time being as a work around. Our certificates do not have a SubjectAltName field and the common name matching doesn't appear to be sufficient. We also do not enforce any kind of linkage between the configured tunnel IDs and the fields within the certificate. >From a certificate within our test suite: Subject: C=GB, O=Smoothwall, CN=tunnel12 The tunnel this certificate is used with uses "tunnel12.foo" as a FQDN ID for the remote end, which fails with the following error in the logs: '"conn34"[2] 172.20.3.5 #9: certificate does not contain subjectAltName=tunnel12.foo' '"conn34"[2] 172.20.3.5 #9: Peer public key SubjectAltName does not match peer ID for this connection" and "complete v1 state transition with INVALID_ID_INFORMATION" but these two are as a direct result of the above. Changing the ID to "tunnel12" is not sufficient to make the connection work. Changing it to %fromcert makes this configuration work (even though the remote is still using "tunnel12.foo"). I suspect this will either break some of our customer configurations or introduce possible security holes. What are your thoughts on this? Are there caveats with using arbitrary IDs when certificate auth is in use? What was the reasoning behind this change to Libreswan? Thanks -- Daniel Collins Software Developer smoothwall [email protected] www.smoothwall.com Office : (+44) 148-988-6073 Head Office : Avalon, 1 Savannah Way, Leeds, LS10 1AB, United Kingdom Tech Office : Eagle Point, Little Park Farm Road, Fareham, PO15 5TD, United Kingdom US Office : 8008 Corporate Center Dr #410, Charlotte, NC 28226, United States Telephone: UK: +44 870-199-9500 US: +1 800-959-3760 Smoothwall Limited is registered in England, Company Number: 4298247 and whose registered address is Avalon House 1 Savannah Way, Leeds Valley Park, Leeds, LS10 1AB. Any opinions stated in this message are solely those of the author. _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
