[Swan] Certificate SubjectAltName checking

Daniel Collins daniel.collins at smoothwall.net
Tue Dec 5 15:46:19 UTC 2017 

Hello

While upgrading from Libreswan 3.15 to 3.21 we found the tunnels using
certificate authentication ceased to work. The problem appears to stem
from this commit:
https://github.com/libreswan/libreswan/commit/6806420bfec59c8fa6e44d0a95a52d6878c10a6e

We have reverted this commit in our tree for the time being as a work
around. Our certificates do not have a SubjectAltName field and the
common name matching doesn't appear to be sufficient. We also do not
enforce any kind of linkage between the configured tunnel IDs and the
fields within the certificate.

>From a certificate within our test suite:

Subject: C=GB, O=Smoothwall, CN=tunnel12

The tunnel this certificate is used with uses "tunnel12.foo" as a FQDN
ID for the remote end, which fails with the following error in the
logs:

'"conn34"[2] 172.20.3.5 #9: certificate does not contain
subjectAltName=tunnel12.foo'
'"conn34"[2] 172.20.3.5 #9: Peer public key SubjectAltName does not
match  peer ID for this connection" and "complete v1 state transition
with INVALID_ID_INFORMATION" but these two are as a direct result of
the above.

Changing the ID to "tunnel12" is not sufficient to make the connection
work. Changing it to %fromcert makes this configuration work (even
though the remote is still using "tunnel12.foo"). I suspect this will
either break some of our customer configurations or introduce possible
security holes.

What are your thoughts on this? Are there caveats with using arbitrary
IDs when certificate auth is in use? What was the reasoning behind
this change to Libreswan?

Thanks

-- 
Daniel Collins
Software Developer

smoothwall
daniel.collins at smoothwall.com
www.smoothwall.com

Office : (+44) 148-988-6073

Head Office : Avalon, 1 Savannah Way, Leeds, LS10 1AB, United Kingdom
Tech Office : Eagle Point, Little Park Farm Road, Fareham, PO15 5TD,
United Kingdom
US Office : 8008 Corporate Center Dr #410, Charlotte, NC 28226, United States

Telephone: UK: +44 870-199-9500 US: +1 800-959-3760

Smoothwall Limited is registered in England, Company Number: 4298247
and whose registered address is Avalon House 1 Savannah Way, Leeds
Valley Park, Leeds, LS10 1AB. Any opinions stated in this message are
solely those of the author.

More information about the Swan mailing list