Issue #1271
X.509 UTF-8 support
Description
strongSwan doesn't support UTF-8 encoded DN, producing only question marks instead of encoded text.
ipsec[479]: 03[IKE] IKE_SA ikev2-pubkey[7] established between 5.6.7.8[CN=something]...1.2.3.4[CN=???????? ??????]
ipsec[479]: 03[IKE] sending end entity cert "CN=something"
ipsec[479]: 03[IKE] peer requested virtual IP %any
ipsec[479]: 03[CFG] reassigning offline lease to 'CN=???????? ??????'
ipsec[479]: 03[IKE] assigning virtual IP 192.168.103.2 to peer 'CN=???????? ??????'
Afterwards it sends incorrect CN to the RADIUS and accounting fails because RADIUS can't decode CN and find user in the database.
Certificate has been generated with openssl -utf8 flag.
History
#1 Updated by ValdikSS ValdikSS about 5 years ago
Some more information: CN is UTF8STRING-encoded. strongSwan won't use UTF-8 SAN DNS either or negotiated EAP-Identity.
RADIUS plugin sends real question marks to RADIUS server (0x3F).