Red Hat Bugzilla – Bug 1460402
libreswan mistakenly does not allow repeated CERT / CERTREQ payloads in IKEv2
Last modified: 2017-08-01 08:31:06 EDT
Description of problem:
"tunnel-XXXX" #768: payload (ISAKMP_NEXT_v2CERT) unexpectedly repeated. Message dropped.
This affects all versions of libreswan up to 3.18, so RHEL-7.3 packages have this issue as well. All versions of openswan are affected as well.
The current (prerelease) build for RHEL-7.4 which is based on 3.20 contains the fix for this issue.
The code change is in ikev2.c:
static const lset_t repeatable_payloads = P(N) | P(D) | P(CP) | P(V);
static const lset_t repeatable_payloads = P(N) | P(D) | P(CP) | P(V) | P(CERT) | P(CERTREQ);
Cannot reproduce this issue. Verified SanityOnly with libreswan-3.20-3.el7.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.