| Summary: | use SubjectAltName for IPsec root/host certificate | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Peter Müller <peter.mueller> |
| Component: | --- | Assignee: | Peter Müller <peter.mueller> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | Major Usability | ||
| Priority: | Will only affect a few users | CC: | michael.tremer, tomvend |
| Version: | 2 | ||
| Hardware: | all | ||
| OS: | All | ||
| See Also: |
https://bugzilla.ipfire.org/show_bug.cgi?id=11593 https://bugzilla.ipfire.org/show_bug.cgi?id=10595 |
||
| Bug Depends on: | |||
| Bug Blocks: | 11618 | ||
|
Description
Peter Müller
2018-01-14 13:37:19 UTC
This is also recommended by Strongswan. From https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA : "If you want to add subjectAltName extensions to your certificates use the --san option (can be provided multiple times), for instance, --san vpn.strongswan.org or --san peer@strongswan.org. It is recommended to include the hostname of a gateway as subjectAltName in its certificate." Yes, since the implementation is so old, this wasn't a thing. Peter, would you send a patch for this? I think you know what there is to do here. Just bumped into this again. I will try to develop a fix for it... :-) Sorry for high response latency. @All: Should a SubjectAlternativeName be mandatory for newly generated certificates? https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=993724b4dd9837af033880d7816511818f030d59 https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8e9f096e702d4bb7cd7ca74e40686e6a23d77abc However, certificate generation from CSRs does not honour subjectAltName extentions, so there is *another* bug to solve until OpenIKED is finally working correctly... |