Bug 868986 - rightid= can be ignored when a peer certificate name field contains a comma
rightid= can be ignored when a peer certificate name field contains a comma
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan (Show other bugs)
6.3
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Paul Wouters
Aleš Mareček
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-22 12:31 EDT by Matt Rogers
Modified: 2013-11-21 18:43 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 18:43:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to allow rightid '+' character to ignore comma (1.58 KB, patch)
2012-10-22 12:31 EDT, Matt Rogers
no flags Details | Diff
patch to allow ",," sequence in leftid= to escape a comma (1.46 KB, patch)
2012-11-13 11:11 EST, Matt Rogers
no flags Details | Diff

  None (edit)
Description Matt Rogers 2012-10-22 12:31:38 EDT
Created attachment 631630 [details]
patch to allow rightid '+' character to ignore comma

Description of problem:

In a configuration where connections are authorized based on certificates signed by the same CA (not loading the peer certificate locally), the rightid must be set to the certificate name. However if a certificate field has a comma in it, for example "O=Red Hat, Inc." then the rightid setting will be ignored. The ID will default to the peer IP and the connection does not auth due to an ID mismatch.

Since it is common to have a comma in certain fields (especially the organization field) I am suggesting a patch that will add the ability to place a '+' in front of the comma in the rightid= option to be ignored as a field delimiter by atodn(). It will remove the + from the ID string and consider the trailing comma a field character. 

Setting "O=Red Hat+, Inc." from the previous example allows the connection to establish with the correct ID match.

Version-Release number of selected component (if applicable):

openswan-2.6.32-19.el6_3
Comment 1 RHEL Product and Program Management 2012-10-22 12:39:41 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 2 Paul Wouters 2012-10-23 10:59:45 EDT
This will break people who would use a "+".

I'd rather see if we can change behaviour so that the first of "/" or "," becomes the separator, and the other character is then ignored.

Perhaps nss has some code do handle things for us that we could use?
Comment 3 Matt Rogers 2012-11-13 11:11:54 EST
Created attachment 644196 [details]
patch to allow ",," sequence in leftid= to escape a comma

Attaching a revised patch. This one will allow the escape of a comma inside an OID field by using ',,'

For example, an id that has the OU of "Global, Support, Services" can be specified as:

  rightid="C=US, ST=North Carolina, O=Red Hat, OU=Global,, Support,, Services, CN=hostname"

Status will show the correct ID:

<10.13.211.217>[C=US, ST=North Carolina, O=Red Hat, OU=Global, Support, Services, CN=hostname,+S=C];

If the commas are not doubled then it fails as originally reported.
Comment 8 errata-xmlrpc 2013-11-21 18:43:26 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1718.html

Note You need to log in before you can comment on or make changes to this bug.