Bug 868986
| Summary: | rightid= can be ignored when a peer certificate name field contains a comma | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Matt Rogers <mrogers> | ||||||
| Component: | openswan | Assignee: | Paul Wouters <pwouters> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Aleš Mareček <amarecek> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.3 | CC: | amarecek, eparis, ksrot, pwouters | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-11-21 23:43:26 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux. This will break people who would use a "+". I'd rather see if we can change behaviour so that the first of "/" or "," becomes the separator, and the other character is then ignored. Perhaps nss has some code do handle things for us that we could use? Created attachment 644196 [details]
patch to allow ",," sequence in leftid= to escape a comma
Attaching a revised patch. This one will allow the escape of a comma inside an OID field by using ',,'
For example, an id that has the OU of "Global, Support, Services" can be specified as:
rightid="C=US, ST=North Carolina, O=Red Hat, OU=Global,, Support,, Services, CN=hostname"
Status will show the correct ID:
<10.13.211.217>[C=US, ST=North Carolina, O=Red Hat, OU=Global, Support, Services, CN=hostname,+S=C];
If the commas are not doubled then it fails as originally reported.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1718.html |
Created attachment 631630 [details] patch to allow rightid '+' character to ignore comma Description of problem: In a configuration where connections are authorized based on certificates signed by the same CA (not loading the peer certificate locally), the rightid must be set to the certificate name. However if a certificate field has a comma in it, for example "O=Red Hat, Inc." then the rightid setting will be ignored. The ID will default to the peer IP and the connection does not auth due to an ID mismatch. Since it is common to have a comma in certain fields (especially the organization field) I am suggesting a patch that will add the ability to place a '+' in front of the comma in the rightid= option to be ignored as a field delimiter by atodn(). It will remove the + from the ID string and consider the trailing comma a field character. Setting "O=Red Hat+, Inc." from the previous example allows the connection to establish with the correct ID match. Version-Release number of selected component (if applicable): openswan-2.6.32-19.el6_3