[strongSwan] Checking of certificate CN and subjectAltName against IDr
Martin Willi
martin at strongswan.org
Wed Aug 3 11:29:42 CEST 2011
Hi Graham,
> Does strongSwan (on the initiator) check that the original FQDN/IDr is
> also in the certificate ?
Yes.
> If the certificate has only a "subject" and no "subjectAltName", does
> strongSwan check that the IDr matches the CN specified in the
> "subject" of the certificate ?
Unlike in SSL/TLS, we check the ID against the full subject
Distinguished Name, not only against the CN RDN. In other words, the ID
gateway.example.com does not match against "C=CH, O=strongSwan,
CN=gateway.example.com". You'd have to use the full DN as the identity
then.
> If the certificate has both a "subject" and "subjectAltName", does
> strongSwan check that the IDr matches EITHER the CN specified in the
> "subject" OR one of the multiple "subjectAltName" entries ?
It must match the full subject DN or one of the subjectAltNames.
> A customer of ours is convinced that if both a "subject" and one (or
> more) "subjectAltName" are present, the initiator must check that the
> IDr matches (one of) the "subjectAltName" entries AND must also check
> that the IDr does NOT match the "subject"'s CN.
I don't see why such a restriction would make sense, and I can't find
such a rule in RFC4945.
Regards
Martin
More information about the Users
mailing list