[strongSwan] Certificate checks while using EAP-TLS

Martin Willi martin at strongswan.org
Thu Oct 7 16:34:36 CEST 2010


Hi Andreas,

> I would like to let the clients authenticate 
> themselves with previously issued certificates that contains an email 
> address in the subjectAlternativeName (or that have no 
> subjectAlternativeName at all).

> 01[TLS] no trusted certificate found for '141.99.152.189' to verify TLS peer

Charon uses the same cert chain validation in TLS as in traditional
IKEv2 certificate validation. This validator is a little more strict
than other TLS stacks in that it requires the peers identity to be
contained as subject or as subjectAltName in the certificate. Having
just the peers identity as CN in the DN is not sufficient.

The peer must either use the full DN of the certificate or one of the
subjectAltNames as identity. You can specify the IKEv2 identity in
ipsec.conf as leftid. If you use an additional EAP-Identity exchange
(initiated by the server with eap_identity=%identity), you can specify
the EAP-Identity with eap_identity=alice at strongswan.org on the client.
Don't forget to --enable-eap-identity during configure, as this
EAP-Identity exchange requires an additional plugin.

> I just want to check if that client's certificate is issued by 
> a certain CA (and maybe has a certain field in the DN).

Yes, this should be no problem. But the client must authenticate with an
identity that is contained in the certificate.

Regards
Martin





More information about the Users mailing list