[strongSwan-dev] Subject certificate signature verification
riku.hietamaki at kotinet.com
Tue Nov 11 15:00:27 CET 2014
One more question.
What if the right and left certs in negotiation are same, but
only left cert is configured to ipsec.conf in server.
Does Strongswan make any assumptions for right cert in that case?
On 11/11/14 14:19, Martin Willi wrote:
> Kindly asking to keep the discussion on the list, thanks.
>> Is it so that, if (e.g., server side) ipsec.d/certs folder contains the
>> same cert than client side is using as a subject cert, the certificate
>> is automatically trusted?
> Just having a cert in ipsec.d/certs does not load it implicitly at all.
> Specifying such a cert in a left/rightcert on any connection loads that
> certificate as trusted, which means no trust chain validation is
> required for any user having a private key for it.
> Alternatively you may add a trust anchor constraint by setting a
> rightca. This ensures that the peer certificate is issued under a
> specific CA, and for example not the one you are using to authenticate
> yourself. Explicitly setting rightcert requires that the peer
> authenticates with a private key for exactly that certificate specified.
More information about the Dev