Issue #3304
Found unsupported critical X.509 extension: X509v3 Name Constraints
Description
For some reason I can't load a CA certificate which contains X509v3 Name Constraints, despite the constraints plugin is loaded.
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] found unsupported critical X.509 extension: X509v3 Name Constraints Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] OpenSSL X.509 parsing failed Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/ca.crt' failed Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loaded crl from '/etc/ipsec.d/crls/root.pem' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loaded ECDSA private key from '/etc/ipsec.d/private/XXX.key' Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] loaded plugins: charon aes sha2 random nonce x509 revocation constraints pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke
Versions:
ii libcharon-standard-plugins 5.7.1-1ubuntu2 amd64 strongSwan charon library (standard plugins)
ii libstrongswan 5.7.1-1ubuntu2 amd64 strongSwan utility and crypto library
ii libstrongswan-standard-plugins 5.7.1-1ubuntu2 amd64 strongSwan utility and crypto library (standard plugins)
ii strongswan 5.7.1-1ubuntu2 all IPsec VPN solution metapackage
ii strongswan-charon 5.7.1-1ubuntu2 amd64 strongSwan Internet Key Exchange daemon
ii strongswan-libcharon 5.7.1-1ubuntu2 amd64 strongSwan charon library
ii strongswan-starter 5.7.1-1ubuntu2 amd64 strongSwan daemon starter and configuration file parser
OpenSSL 1.1.1b 26 Feb 2019
Let me know if you need any additional debug information
Thanks!
History
#1 Updated by Jack Ivanov over 2 years ago
Sorry, wrong version specified in the subject. it's 5.7.1, not 5.8.2
#2 Updated by Tobias Brunner over 2 years ago
- Status changed from New to Feedback
- Affected version changed from 5.8.2 to 5.7.1
The openssl plugin currently has no support for name constraints (and several other extensions, which the x509 plugin supports). So if the extension is marked critical in the certificate it can't be loaded by that plugin. Why it also fails with the x509 plugin, which you apparently have loaded too and which supports that extension, I don't know. It might be helpful if you could attach the certificate.
The constraints plugin is used to enforce such constraints, not to parse them.