[strongSwan] Allowing only one session per client certificate
kgardenia42
kgardenia42 at googlemail.com
Mon Oct 22 18:54:06 CEST 2012
On Mon, Oct 22, 2012 at 5:37 PM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi,
>
>>>> I'm wondering if IOS devices will allow rsasig over xauthrsasig.
>>>
>>> As far as I know, they don't.
>>
>> That being the case ... if I wanted to still use xauthrsasig would it
>> be feasible for me to patch strongswan (5.0.1) to use the "DN" of the
>> client cert as the uniqueness check without much effort? Can you give
>> any pointers to accomplish this?
>
> You may revert commit 0fbfcf2a [1] to use the IKE identities in
> uniqueness checks.
Thanks. That is a big help!
> But will your clients really all use the same XAuth
> credentials?
Yes. I'm really only using xauth as a piece of red-tape because the
client (IOS) mandates it. The client certificates will really
identify my users. The CRL list will remove banned or expired users.
As a general point: perhaps my use-case is distorted somewhat but
would it make sense to have this uniqueness criteria as a
configuration option?
Furthermore, does it not make sense that in the "xauthrsasig" case
users should be considered unique on the DN *and* the xauth username?
i.e. on the basis that with "rsasig" it uses DN to uniquely identify
people then in the "xauthrsasig" should it not be both?
Sorry if this is off base. Just thinking out loud.
Thanks!
More information about the Users
mailing list