Bug 881914

Summary: openswan doesn't support SHA2 certificates
Product: Red Hat Enterprise Linux 6 Reporter: Joshua Roys <roysjosh>
Component: openswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: david.keatts, eparis, ksrot, omoris, pwouters
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 23:43:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joshua Roys 2012-11-29 18:47:41 UTC
Description of problem:
openswan does not support certificates signed with the SHA2 family

Version-Release number of selected component (if applicable):

How reproducible:
Setup openswan with certificate authentication, certs are signed using SHA2

Actual results:
openswan fails to setup connection with "digest algorithm not supported"

Expected results:
openswan successfully sets up connection

Additional info:
Please apply 98e2372ccaab3c585029dede2f1f6c7240a3c354 from upstream and set USE_EXTRACRYPTO=true in the spec file.  We have tested this locally.

Comment 2 Paul Wouters 2013-05-17 18:54:58 UTC
Note if we do port the attached patch, it should OT use EXTRACRYPTO because that also drags in support for blowfish and serpent, which we do not want.

Instead, SHA2 should be decoupled from EXTRACRYPTO, as has been done already in upstream libreswan.

Comment 3 Paul Wouters 2013-07-18 03:44:51 UTC
for QA: to test, generate at least one X.509 certificate that uses SHA2.

For an example, see: https://github.com/libreswan/libreswan/blob/master/testing/x509/dist_certs

Comment 11 errata-xmlrpc 2013-11-21 23:43:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.