[strongSwan-dev] Feature request: direct loading of certs and cert like fields as string data in addition to file paths

Joshua Marshall j.marshall at arroyo.io
Thu May 9 20:09:15 CEST 2019

What I'm having trouble with is getting them to connect in an
understandable way.  From the first email, `connections { "my_conn": {
"local": {"cert": {"data": <CERTIFICATE STRING>} } } }` doesn't work.  It
does not appear that there is a way to directly associate a binary blob
certificate in a connection.  But there are ways to link to a certificate
file in that connection.  For instance, `connections { "my_conn": {
"local": {"cert": {"file": <CERTIFICATE PATH>} } } }` is documented
explicitly to work.

Something we have found out since then is that certificates seem to
associate with connections by the ID field in `connections { "my_conn" : {
"local" : { "id" : <name/altName/id in cert> } , "remote" : { "id" :
<name/altName/id in cert>} } }` and to have certs loaded separately as ` {
"type" : "x509", "flag" : "None", "data" : <cert blob> }` where the cert ID
is specified in the cert and not in the Vici config.  This is not apparent
in the design or documentation referenced (
https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf ).  In
that documentation, there are points where multiple file paths to certs can
be given and they link to the connection by their internally represented
names, but no such direct option for certificates is mentioned.

It seems like there are multiple, different idioms for attaching
certificates to connections and it is not very clear on what is right.
More details on how certs are loaded beyond basic use cases would be very
helpful in the documentation.

On Thu, May 9, 2019 at 4:02 AM Tobias Brunner <tobias at strongswan.org> wrote:

> Hi Joshua,
> > Reading over the source code, this direct loading of certificate data
> > does not seem to be a supported use case but we can't say this with 100%
> > confidence.
> Loading certificates from binary blobs (DER or PEM encoded) is actually
> the default via vici.
> Regards,
> Tobias


Please be advised that this email may contain confidential information. 
If you are not the intended recipient, please notify us by email by 
replying to the sender and delete this message. The sender disclaims that 
the content of this email constitutes an offer to enter into, or the 
acceptance of, any agreement; provided that the foregoing does not 
invalidate the binding effect of any digital or other electronic 
reproduction of a manual signature that is included in any attachment.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20190509/9ea1aa0b/attachment.html>

More information about the Dev mailing list