[strongSwan] IKE_SA getting established even without CA cert being present
Martin Willi
martin at strongswan.org
Mon Jun 18 08:56:27 CEST 2012
Hi,
> I have copied the End Entity certificate and key; but I have not copied
> the CA certificate.
It looks like you are using the same certificate and key for the two
peers. Is this correct?
> I was expecting the connection to fail, as authentication should fail
> in this case.
> leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
If you define a left/rightcert in your configuration, this explicitly
loaded certificate is marked as "trusted":
> 14[CFG] no issuer certificate found for "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"
> 14[CFG] using trusted certificate "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"
Since you're using the same certificate on both ends, we have a locally
valid and trusted certificate to verify the signature. No need to
validate the trustchain using the CA.
If you run a CA and want to validate the certificates, please consider
using distinct certificates for each peer.
Regards
Martin
More information about the Users
mailing list