Bug 12276

Summary: IPsec WUI: generating certificate from CSR omits subjectAltName
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Peter Müller <peter.mueller>
Status: ASSIGNED --- QA Contact:
Severity: Major Usability    
Priority: Will only affect a few users CC: alexander.marx, michael.tremer, ummeegge
Version: 2   
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 11618    

Description Peter Müller 2020-01-22 20:41:44 UTC 
The IPsec WUI does not seem to be aware of subjectAltName in Certificate Signing Requests (CSRs) as generated certificates do contain an appropriate Common Name (CN), but not the requested SAN.

This is a show-stopper when trying to set up an IPsec connection between IPFire and OpenIKED.
Comment 1 Peter Müller 2020-01-22 21:06:05 UTC 
Apparently the root cause for this is the OpenSSL configuration @ /etc/openssl/ .
Comment 2 Peter Müller 2020-01-24 14:26:04 UTC 
OpenSSL does not simply use the X509.v3 extensions provided in any given CSR, which is why subjectAltNames are missing in the generated certificate.

After spending almost an hour on researching, passing SANs to OpenSSL seems to be possible by passing an additional configuration file. We could simply generate one of those on-the-fly, but will be limited to exactly one SAN then as we usually only have a destinations' FQDN.

In my opinion, the OpenVPN CGI suffers from the same issue (Erik CC'ed).

This OpenSSL bug/behaviour is, in the politest words I can describe it, pain in the ass de luxe. :-(
Comment 3 Michael Tremer 2020-01-24 16:51:26 UTC 
A solution you could implement is checking the CSR for any SANs. If those exist, you can ask openssl to copy them into the certificate.

Since that will fail if there is no SAN available, the check is necessary.

You should whitelist SANs only and not copy all other extensions, too.