peer end is having below Certificate with Multiple IP's in subject Alt name. and the remote Identifier set at local end is 20.0.0.1.

While validating the Certificate will it consider all the IP's present in sub-Alt-name ?

Or it will check the first one only and invalidate the Certificate ?   

            X509v3 Subject Alternative Name:

                IP Address:10.0.0.1, IP Address:20.0.0.1

in my testing it reports error(sub-Alt-name mismatched) if the first IP doesn't match with the Identifier IP.


Also after code walk through i found the same as well. Is it a bug or expected behavior of racoon ?

 

File: oakley.c

  for (pos = 1; ; pos++) {

if (eay_get_x509subjectaltname(iph1->cert_p,

&altname, &type, pos) !=0) {

plog(LLV_ERROR, LOCATION, NULL,

"failed to get subjectAltName\n");

return ISAKMP_NTYPE_INVALID_CERTIFICATE;

}


/* it's the end condition of the loop. */

if (!altname) {

plog(LLV_ERROR, LOCATION, NULL,

"no proper subjectAltName.\n");

return ISAKMP_NTYPE_INVALID_CERTIFICATE;

}


if (check_typeofcertname(id_b->type, type) == 0)

break;  --> is this break expected ??

 

 

Below is the peer Certificate ..

 

[root@CFPU-0(BCNBlr36) /root]

# openssl x509 -in /etc/ipsec/certs/ipsec.d/certs/CFPU-0-cert.pem -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 3 (0x3)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com/emailAddress=gianluigi.ongaro@nsn.com

        Validity

            Not Before: Oct 28 07:19:43 2012 GMT

            Not After : Nov 27 07:19:43 2012 GMT

        Subject: C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_CFPU-0/emailAddress=gianluigi.ongaro@nsn.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:a0:1e:17:7c:bb:78:3c:c4:1c:5b:9f:84:6a:33:

                    7b:80:de:23:d7:2c:7b:11:35:f0:b6:94:09:7f:0f:

                    7b:2f:5f:71:40:fc:33:d9:e0:90:bd:32:40:e0:5f:

                    58:a1:63:a2:b8:ad:32:96:19:8a:63:c3:6d:02:5c:

                    72:65:f4:3c:e5:99:80:16:da:77:37:91:ae:76:bc:

                    e4:57:73:97:b2:f7:c0:d9:a3:ec:fe:4f:04:2b:5b:

                    5f:f6:6c:78:d6:53:53:bb:2e:85:d4:f1:89:c4:98:

                    20:00:09:9f:61:cd:ed:6b:13:fd:87:b8:23:9f:b8:

                    48:7f:02:14:27:ee:72:b8:cd

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Subject Alternative Name:

                IP Address:10.0.0.1, IP Address:20.0.0.1

    Signature Algorithm: sha1WithRSAEncryption

        84:02:84:ec:f5:38:fa:f3:ac:ec:62:ec:7a:bd:d0:75:43:3c:

        e9:e2:2c:16:9a:d7:4f:71:87:02:8b:be:1d:33:ea:ec:bb:ad:

        f0:9e:93:5f:fc:0a:40:4a:46:41:53:37:7d:11:74:e0:a5:41:

        98:b9:c6:c0:97:00:85:09:bf:f7:2e:1d:c1:48:81:ce:1e:6c:

        b5:de:72:76:e3:23:c1:a8:58:d1:16:19:42:50:75:31:61:86:

        e2:44:ad:b7:2e:a1:71:5e:67:38:b0:1b:1b:1b:b1:16:ec:50:

        d3:49:c8:0a:6f:a1:d3:ac:61:61:d5:b6:3f:3c:39:1a:da:6f:

        ff:c1

[root@CFPU-0(BCNBlr36) /root]

Best Regards,

Deepak