[strongSwan] Checking of certificate CN and subjectAltName against IDr

Graham Hudspith graham.hudspith at gmail.com
Wed Aug 3 10:53:42 CEST 2011

Hi All,

We have a question here concerning verification of the SeGW's certificate by
the local tunnel initiator.

We configure our initiator with the FQDN of the SeGW. The initiator resolves
this FQDN to an IP address and then sends the tunnel setup requests to that
IP address with the IDr set to the FQDN.

The SeGW eventually responds, in an IKE_AUTH, with it's certificate.

The initiator then verifies that certificate.

Now, it is this verification we'd like some insight into.

Obviously, the certificate is checked against the remote end's Root CA that
the initiator has a copy of.

What we'd like to know, if anyone can throw any light on the subject (pun
intended), is the additional checking that takes place.

Does strongSwan (on the initiator) check that the original FQDN/IDr is also
in the certificate ?

If the certificate has only a "subject" and no "subjectAltName", does
strongSwan check that the IDr matches the CN specified in the "subject" of
the certificate ?

If the certificate has both a "subject" and "subjectAltName", does
strongSwan check that the IDr matches EITHER the CN specified in the
"subject" OR one of the multiple "subjectAltName" entries ?

A customer of ours is convinced that if both a "subject" and one (or
more) "subjectAltName" are present, the initiator must check that the IDr
matches (one of) the "subjectAltName" entries AND must also check that the
IDr does NOT match the "subject"'s CN.

I would have thought that as long as the IDr matches EITHER one of the
"subjectAltName" entries OR the "subject"'s CN, then the check has passed.

Hope this makes sense.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110803/37299802/attachment.html>

More information about the Users mailing list