Bug 1650450
| Summary: | Support for IKE/IPsec typical PKIX usage so libreswan can use nss without rejecting certs based on EKU [rhel-7.6.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | nss | Assignee: | nss-nspr-maint <nss-nspr-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> |
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | urgent | ||
| Version: | 7.1 | CC: | cww, fkrska, hkario, mgrepl, mjahoda, mrogers, nkinder, nmavrogi, pwouters, rrelyea, sbroz, shobbs, tis, tmraz, toneata, tscherf |
| Target Milestone: | rc | Keywords: | Reopened, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nss-util-3.36.0-1.1.el7_6,nss-3.36.0-7.1.el7_6 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, the NSS library did not properly process X.509 certificates for use with IPsec. As a consequence, if X.509 certificates had non-empty Extended Key Usage (EKU) attributes that did not contain serverAuth and clientAuth attributes, the Libreswan IPsec implementation incorrectly rejected validation of the certificates. With this update, the IPsec profiles in NSS have been fixed, and Libreswan can now accept the described certificates.
|
Story Points: | --- |
| Clone Of: | 1212132 | Environment: | |
| Last Closed: | 2019-01-29 17:22:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1212132 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-11-16 08:13:41 UTC
fixed in: nss-util-3.36.0-1.1.el7_6 nss-3.36.0-7.1.el7_6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0172 |