Red Hat Bugzilla – Bug 881914
openswan doesn't support SHA2 certificates
Last modified: 2014-06-30 23:43:47 EDT
Description of problem: openswan does not support certificates signed with the SHA2 family Version-Release number of selected component (if applicable): openswan-2.6.32-19.el6_3 How reproducible: Setup openswan with certificate authentication, certs are signed using SHA2 Actual results: openswan fails to setup connection with "digest algorithm not supported" Expected results: openswan successfully sets up connection Additional info: Please apply 98e2372ccaab3c585029dede2f1f6c7240a3c354 from upstream and set USE_EXTRACRYPTO=true in the spec file. We have tested this locally.
Note if we do port the attached patch, it should OT use EXTRACRYPTO because that also drags in support for blowfish and serpent, which we do not want. Instead, SHA2 should be decoupled from EXTRACRYPTO, as has been done already in upstream libreswan.
for QA: to test, generate at least one X.509 certificate that uses SHA2. For an example, see: https://github.com/libreswan/libreswan/blob/master/testing/x509/dist_certs
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1718.html