Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-12278

Connection cannot be established when IPv6 IP SAN is used

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • None
    • ZStream
    • 1
    • rhel-security-crypto
    • ssg_security
    • 34
    • 1
    • Hide

      10/11: telco priority pending info

      Show
      10/11: telco priority pending info
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • Crypto24Q2
    • Approved Blocker
    • Hide

      AC1) IPsec connection is established even if IPv6 IP SAN is used in the certificate and configuration, following the steps mentioned in the description.

      Show
      AC1) IPsec connection is established even if IPv6 IP SAN is used in the certificate and configuration, following the steps mentioned in the description.
    • None
    • Not Needed
    • None
    • Bug Fix
    • Hide
      .Libreswan accepts IPv6 SAN extensions

      Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address.
      With this update, the `pluto` daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.
      Show
      .Libreswan accepts IPv6 SAN extensions Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the `pluto` daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.
    • Done
    • All
    • None

      What were you trying to do that didn't work?

      Libreswan expected IPv4 address in gntoid() function while both IPv4 and IPv6 addresses are allowed in SAN. See

      Issue was reported as https://github.com/libreswan/libreswan/issues/1321. This is not a regression, it was always like that.

      Please provide the package NVR for which bug is seen:

      libreswan-4.12-1.el9

      How reproducible:

      100%

      Steps to reproduce

      1. Create certificates using using SAN with IP using IPv6 addresses:
      # certutil -v 120 -S -k rsa -c "CA" -n "worker1" -s "CN=worker1" -v 12 -t "u,u,u" -d sql:/var/lib/ipsec/nss --extSAN "ip:<ipv6>"
      1. Load the following connection:
      # cat /etc/ipsec.d/nstest.conf 
conn worker1-VM
	type=transport
        left=<ipv6>
        leftid=%fromcert
        leftrsasigkey=%cert
        leftcert=worker1
        hostaddrfamily=ipv6
        clientaddrfamily=ipv6
        right=<ipv6>
        rightid=%fromcert
        rightrsasigkey=%cert
	ike=aes_gcm256-sha2_256
	esp=aes_gcm256
	ikev2=insist

# ipsec auto --add worker1-VM

      Expected results

      Connection is loaded correctly, no warnings. Connection can be established.

      Actual results

      ...

      1. ipsec auto --add worker1-VM
        002 "worker1-VM": terminating SAs using this connection
        002 "worker1-VM": warning: gntoid() failed to initaddr(): IPv4 address must be exactly 4 bytes
        002 "worker1-VM": added IKEv2 connection

              dueno@redhat.com Daiki Ueno
              omoris Ondrej Moris
              Daiki Ueno Daiki Ueno
              SSG Security QE SSG Security QE
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: