[strongSwan] does EAP-TLS work with self signed certificates

Ravi Kanth Vanapalli vvnrk.vanapalli at gmail.com
Thu Oct 20 22:19:51 CEST 2016

Dear Noel,
   As per RFC 5216 , https://tools.ietf.org/html/rfc5216
   EAP TLS peer should add TLS_certificate_verify  while sending its
certificate. Private key is used there. It contains signed authentication
response to the EAP server.
  Can yo uplease help answering the original query.

Sequence flow from RFC is copied here below for quick reference.

   Authenticating Peer     Authenticator
   -------------------     -------------
                           <- EAP-Request/
   Identity (MyID) ->
                           <- EAP-Request/
                           (TLS Start)
   (TLS client_hello)->
                           <- EAP-Request/
                           (TLS server_hello,
                             TLS certificate,
                    [TLS server_key_exchange,]
                     TLS certificate_request,
                        TLS server_hello_done)
   (TLS certificate,
    TLS client_key_exchange,
    TLS certificate_verify,
    TLS change_cipher_spec,
    TLS finished) ->
                           <- EAP-Request/
                           (TLS change_cipher_spec,
                            TLS finished)
   EAP-Type=EAP-TLS ->
                           <- EAP-Success

On Thu, Oct 20, 2016 at 3:44 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

> On 19.10.2016 23:13, Ravi Kanth Vanapalli wrote:
> >    Server has issued a self signed certificated for the UE. UE is
> supposed  to share this cert via EAP-TLS authentication when server
> requests a certificate
> >    Server has shared the private key to the UE via secure means. This
> signature is used for  for signature verification in EAP-TLS
> Don't share the private key. The design of TLS does not require that. And
> what signature? The signature of the self signed certificate?
> >
> >   Does this kind of setup work for EAP-TLS authentication in strongswan
> ?  I mean, when UE is trying to find a private key using the API
> find_private_key() in file tls_peer.c, it returns null.
> --
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: vvnrk.vanapalli at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161020/5a73d9d7/attachment.html>

More information about the Users mailing list