[strongSwan] SSwan 5.5.3 , X.509 certs and attr-sql issue

Tobias Brunner tobias at strongswan.org
Thu Jun 29 15:52:56 CEST 2017


Hi Alex,

> Jun 29 13:49:12 06[LIB] <x509-certs-ikev2|1> executing MySQL statement
> failed: Duplicate entry
> '9-0\x81\x881\x1D0\x1B\x06\x03U\x04\x03\x0C\x14sumvision at york.ac.' for key 'type'

That shouldn't happen as right before that insert there is a query that
should return the identity inserted previously (see [1]).  The reason
why that's not the case here is the short default length of the `data`
column in the `identities` table (64 bytes).  Because the binary ASN.1
encoding of the client certificate's subject DN
(CN=sumvision at york.ac.uk, O=University of York, OU=IT Services, L=York,
ST=North Yorkshire, C=GB) is 139 bytes long it gets cut off.  Which
means the lookup fails (the shortened value in the table does not match
the actual identity), however, when inserting the value again the same
shortened entry already exists, causing this constraint failure.

So either change the length of the data field in the database table, or
use shorter identities (e.g. sumvision at york.ac.uk if that's contained in
a subjectAlternativeName extension in the certificate).

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/attr_sql/attr_sql_provider.c;h=33d9f99fcdccbfde02e97061bd2fe7ff5942d7e5;hb=HEAD#l58


More information about the Users mailing list