Package: strongswan
Version: 4.3.2-1.2
Severity: normal
Tags: patch
Upstream introduced a bug in version 4.3.x which breaks parsing of certificate
common names if these contain email address OIDs (C=DE, O=org, e=...@bar.de).
If incoming connection requests use certificates which contain CNs with such an
OID strongswan is unable to choose the correct connection definition from
ipsec.conf and fails with 'no matching peer config found'.
This is fixed with upstream commit c8b543a6fc28bc335212ec69d39cc57f5b0e4095.
http://wiki.strongswan.org/repositories/revision/strongswan/c8b543a6fc28bc335212ec69d39cc57f5b0e4095
This broke our setup which was working fine with lenny (4.2.4-5+lenny3) when we
upgraded strongswan to a backported squeeze version (4.3.2-1.2).
-- System Information:
Debian Release: 5.0.4
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages strongswan depends on:
ii strongswan-ikev1 4.3.2-1.2 strongSwan Internet Key Exchange (
ii strongswan-ikev2 4.3.2-1.2 strongSwan Internet Key Exchange (
strongswan recommends no packages.
Versions of packages strongswan suggests:
pn network-manager-strongswan <none> (no description available)
-- debconf information:
strongswan/x509_self_signed: true
strongswan/x509_state_name:
* strongswan/start_level: earliest
strongswan/x509_organizational_unit:
strongswan/ikev2: true
strongswan/x509_email_address:
* strongswan/enable-oe: false
strongswan/x509_locality_name:
strongswan/x509_country_code: AT
strongswan/ikev1: true
strongswan/x509_organization_name:
strongswan/existing_x509_key_filename:
strongswan/rsa_key_type: x509
* strongswan/create_rsa_key: false
strongswan/existing_x509_certificate: false
* strongswan/restart: true
strongswan/x509_common_name:
strongswan/rsa_key_length: 2048
strongswan/existing_x509_certificate_filename:
commit c8b543a6fc28bc335212ec69d39cc57f5b0e4095
Author: Andreas Steffen <andreas.stef...@strongswan.org>
Date: Tue Aug 18 17:52:00 2009 +0200
fixed wrong emailAddress OID introduced by revision c31687da
diff --git a/src/libstrongswan/utils/identification.c
b/src/libstrongswan/utils/identification.c
index 10daf46..7c3b19c 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -85,9 +85,9 @@ static const x501rdn_t x501rdns[] = {
{"ID", OID_UNIQUE_IDENTIFIER,
ASN1_PRINTABLESTRING},
{"EN", OID_EMPLOYEE_NUMBER,
ASN1_PRINTABLESTRING},
{"employeeNumber", OID_EMPLOYEE_NUMBER,
ASN1_PRINTABLESTRING},
- {"E", OID_EMAIL_ADDRESS,
ASN1_IA5STRING},
- {"Email", OID_EMAIL_ADDRESS,
ASN1_IA5STRING},
- {"emailAddress", OID_EMAIL_ADDRESS,
ASN1_IA5STRING},
+ {"E", OID_PKCS9_EMAIL,
ASN1_IA5STRING},
+ {"Email", OID_PKCS9_EMAIL,
ASN1_IA5STRING},
+ {"emailAddress", OID_PKCS9_EMAIL,
ASN1_IA5STRING},
{"UN", OID_UNSTRUCTURED_NAME,
ASN1_IA5STRING},
{"unstructuredName",OID_UNSTRUCTURED_NAME, ASN1_IA5STRING},
{"TCGID", OID_TCGID,
ASN1_PRINTABLESTRING}
