[strongSwan] Authentication of a CERT payload with only the subject certificate

ABULIUS, MUGUR (MUGUR) mugur.abulius at alcatel-lucent.com
Tue Mar 26 10:59:29 CET 2013


Hello,
Our IKEv2 strongSwan Linux client systems should interoperate with a SEG having limited capabilities
for building up the CERT payload of the IKE-SA-AUTH response. The SEG's CERT includes only the subject
certificate (no other ancestor certificates are sent within its CERT).
Under which client configuration strongSwan is able to validate the remote SEG?
 More details on a specific use case:
     Trust anchor "RootX" configured on client and SEG
     Client cert chain : "RootX / sub-CAy / client" (all certificates stored on client)
     Client sends "sub-CAy/client" certificates in IKEv2 CERT payload (RootX cert.  not sent)
     SEG cert chain : "RootX/sub-CAy/SEG" (same hierarchy, different end entities)
     SEG sends only the "SEG" certificate in CERT payload (instead of sub-CAy/SEG")

Does authentication work?

Best Regards
Mugur


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/0906310a/attachment.html>


More information about the Users mailing list