Certificate policies cause rejections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
If a certificate has a policy, strongswan rejects it unless every certificate up the chain has the same policy. For certificates issued by CAs today, this is not a valid assumption. This assumption results in my Ubuntu laptop being unable to connect to my workplace VPN (which is actually also Ubuntu strongswan, but that's irrelevant).
The attached patch from upstream git fixes the problem by changing the validation behavior. From the upstream commit message:
--
Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations.
A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
--
This patch applies exactly from upstream to strongswan in Vivid. It can be trivially backported to Precise (which I've done and tested). I did not specifically test it on any versions in the middle.
The attachment "0001-constrain ts-Don- t-reject- certificates- with-invalid- c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]