Bug 881914 - openswan doesn't support SHA2 certificates
Summary: openswan doesn't support SHA2 certificates
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan
Version: 6.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Ondrej Moriš
Depends On:
TreeView+ depends on / blocked
Reported: 2012-11-29 18:47 UTC by Joshua Roys
Modified: 2014-07-01 03:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-11-21 23:43:46 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1718 0 normal SHIPPED_LIVE openswan bug fix and enhancement update 2013-11-20 21:51:39 UTC

Description Joshua Roys 2012-11-29 18:47:41 UTC
Description of problem:
openswan does not support certificates signed with the SHA2 family

Version-Release number of selected component (if applicable):

How reproducible:
Setup openswan with certificate authentication, certs are signed using SHA2

Actual results:
openswan fails to setup connection with "digest algorithm not supported"

Expected results:
openswan successfully sets up connection

Additional info:
Please apply 98e2372ccaab3c585029dede2f1f6c7240a3c354 from upstream and set USE_EXTRACRYPTO=true in the spec file.  We have tested this locally.

Comment 2 Paul Wouters 2013-05-17 18:54:58 UTC
Note if we do port the attached patch, it should OT use EXTRACRYPTO because that also drags in support for blowfish and serpent, which we do not want.

Instead, SHA2 should be decoupled from EXTRACRYPTO, as has been done already in upstream libreswan.

Comment 3 Paul Wouters 2013-07-18 03:44:51 UTC
for QA: to test, generate at least one X.509 certificate that uses SHA2.

For an example, see: https://github.com/libreswan/libreswan/blob/master/testing/x509/dist_certs

Comment 11 errata-xmlrpc 2013-11-21 23:43:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.