Bug 868986 - rightid= can be ignored when a peer certificate name field contains a comma
Summary: rightid= can be ignored when a peer certificate name field contains a comma
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan
Version: 6.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Aleš Mareček
Depends On:
TreeView+ depends on / blocked
Reported: 2012-10-22 16:31 UTC by Matt Rogers
Modified: 2013-11-21 23:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-11-21 23:43:26 UTC

Attachments (Terms of Use)
patch to allow rightid '+' character to ignore comma (1.58 KB, patch)
2012-10-22 16:31 UTC, Matt Rogers
no flags Details | Diff
patch to allow ",," sequence in leftid= to escape a comma (1.46 KB, patch)
2012-11-13 16:11 UTC, Matt Rogers
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1718 normal SHIPPED_LIVE openswan bug fix and enhancement update 2013-11-20 21:51:39 UTC

Description Matt Rogers 2012-10-22 16:31:38 UTC
Created attachment 631630 [details]
patch to allow rightid '+' character to ignore comma

Description of problem:

In a configuration where connections are authorized based on certificates signed by the same CA (not loading the peer certificate locally), the rightid must be set to the certificate name. However if a certificate field has a comma in it, for example "O=Red Hat, Inc." then the rightid setting will be ignored. The ID will default to the peer IP and the connection does not auth due to an ID mismatch.

Since it is common to have a comma in certain fields (especially the organization field) I am suggesting a patch that will add the ability to place a '+' in front of the comma in the rightid= option to be ignored as a field delimiter by atodn(). It will remove the + from the ID string and consider the trailing comma a field character. 

Setting "O=Red Hat+, Inc." from the previous example allows the connection to establish with the correct ID match.

Version-Release number of selected component (if applicable):


Comment 1 RHEL Product and Program Management 2012-10-22 16:39:41 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 2 Paul Wouters 2012-10-23 14:59:45 UTC
This will break people who would use a "+".

I'd rather see if we can change behaviour so that the first of "/" or "," becomes the separator, and the other character is then ignored.

Perhaps nss has some code do handle things for us that we could use?

Comment 3 Matt Rogers 2012-11-13 16:11:54 UTC
Created attachment 644196 [details]
patch to allow ",," sequence in leftid= to escape a comma

Attaching a revised patch. This one will allow the escape of a comma inside an OID field by using ',,'

For example, an id that has the OU of "Global, Support, Services" can be specified as:

  rightid="C=US, ST=North Carolina, O=Red Hat, OU=Global,, Support,, Services, CN=hostname"

Status will show the correct ID:

<>[C=US, ST=North Carolina, O=Red Hat, OU=Global, Support, Services, CN=hostname,+S=C];

If the commas are not doubled then it fails as originally reported.

Comment 8 errata-xmlrpc 2013-11-21 23:43:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.