[strongSwan] SSwan 5.5.3 , X.509 certs and attr-sql issue
Alex Sharaz
alex.sharaz at york.ac.uk
Thu Jun 29 16:01:22 CEST 2017
Hi
Many thanks for the quick response ... its easy to change the table size
... which I've done ... and it now works !
Rgds
Alex
On 29 June 2017 at 14:52, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Alex,
>
> > Jun 29 13:49:12 06[LIB] <x509-certs-ikev2|1> executing MySQL statement
> > failed: Duplicate entry
> > '9-0\x81\x881\x1D0\x1B\x06\x03U\x04\x03\x0C\x14sumvision at york.ac.' for
> key 'type'
>
> That shouldn't happen as right before that insert there is a query that
> should return the identity inserted previously (see [1]). The reason
> why that's not the case here is the short default length of the `data`
> column in the `identities` table (64 bytes). Because the binary ASN.1
> encoding of the client certificate's subject DN
> (CN=sumvision at york.ac.uk, O=University of York, OU=IT Services, L=York,
> ST=North Yorkshire, C=GB) is 139 bytes long it gets cut off. Which
> means the lookup fails (the shortened value in the table does not match
> the actual identity), however, when inserting the value again the same
> shortened entry already exists, causing this constraint failure.
>
> So either change the length of the data field in the database table, or
> use shorter identities (e.g. sumvision at york.ac.uk if that's contained in
> a subjectAlternativeName extension in the certificate).
>
> Regards,
> Tobias
>
> [1]
> https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/
> libcharon/plugins/attr_sql/attr_sql_provider.c;h=
> 33d9f99fcdccbfde02e97061bd2fe7ff5942d7e5;hb=HEAD#l58
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170629/3ba24897/attachment.html>
More information about the Users
mailing list