Project

General

Profile

Issue #3304

Found unsupported critical X.509 extension: X509v3 Name Constraints

Added by Jack Ivanov 9 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.7.1
Resolution:

Description

For some reason I can't load a CA certificate which contains X509v3 Name Constraints, despite the constraints plugin is loaded.

Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] found unsupported critical X.509 extension: X509v3 Name Constraints
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] OpenSSL X.509 parsing failed
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/ca.crt' failed
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG]   loaded crl from '/etc/ipsec.d/crls/root.pem'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[CFG]   loaded ECDSA private key from '/etc/ipsec.d/private/XXX.key'
Jan 03 12:55:37 ipsec-test-openssl charon[20209]: 00[LIB] loaded plugins: charon aes sha2 random nonce x509 revocation constraints pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke

Versions:

ii libcharon-standard-plugins 5.7.1-1ubuntu2 amd64 strongSwan charon library (standard plugins)
ii libstrongswan 5.7.1-1ubuntu2 amd64 strongSwan utility and crypto library
ii libstrongswan-standard-plugins 5.7.1-1ubuntu2 amd64 strongSwan utility and crypto library (standard plugins)
ii strongswan 5.7.1-1ubuntu2 all IPsec VPN solution metapackage
ii strongswan-charon 5.7.1-1ubuntu2 amd64 strongSwan Internet Key Exchange daemon
ii strongswan-libcharon 5.7.1-1ubuntu2 amd64 strongSwan charon library
ii strongswan-starter 5.7.1-1ubuntu2 amd64 strongSwan daemon starter and configuration file parser

OpenSSL 1.1.1b 26 Feb 2019

Let me know if you need any additional debug information

Thanks!

History

#1 Updated by Jack Ivanov 9 months ago

Sorry, wrong version specified in the subject. it's 5.7.1, not 5.8.2

#2 Updated by Tobias Brunner 8 months ago

  • Status changed from New to Feedback
  • Affected version changed from 5.8.2 to 5.7.1

The openssl plugin currently has no support for name constraints (and several other extensions, which the x509 plugin supports). So if the extension is marked critical in the certificate it can't be loaded by that plugin. Why it also fails with the x509 plugin, which you apparently have loaded too and which supports that extension, I don't know. It might be helpful if you could attach the certificate.

The constraints plugin is used to enforce such constraints, not to parse them.

Also available in: Atom PDF