Project

General

Profile

Issue #1271

X.509 UTF-8 support

Added by ValdikSS ValdikSS over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.3.5
Resolution:

Description

strongSwan doesn't support UTF-8 encoded DN, producing only question marks instead of encoded text.

ipsec[479]: 03[IKE] IKE_SA ikev2-pubkey[7] established between 5.6.7.8[CN=something]...1.2.3.4[CN=???????? ??????]
ipsec[479]: 03[IKE] sending end entity cert "CN=something"
ipsec[479]: 03[IKE] peer requested virtual IP %any
ipsec[479]: 03[CFG] reassigning offline lease to 'CN=???????? ??????'
ipsec[479]: 03[IKE] assigning virtual IP 192.168.103.2 to peer 'CN=???????? ??????'

Afterwards it sends incorrect CN to the RADIUS and accounting fails because RADIUS can't decode CN and find user in the database.

Certificate has been generated with openssl -utf8 flag.

History

#1 Updated by ValdikSS ValdikSS over 4 years ago

Some more information: CN is UTF8STRING-encoded. strongSwan won't use UTF-8 SAN DNS either or negotiated EAP-Identity.
RADIUS plugin sends real question marks to RADIUS server (0x3F).

Also available in: Atom PDF