[strongSwan] Fwd: Re: Validating Local Host Own Certificate

Andreas Steffen andreas.steffen at strongswan.org
Thu Dec 7 17:47:14 CET 2017 

Hi Jafar,

I don't see any sense in strongSwan verifying local certificates.
At the extreme people are using self-signed certificates where there
is no trust chain at all both for the local and the remote end.
In that case trust has to be established over out-of-band channels.

You are free to patch strongSwan to add the desired functionality.
This is what open source software is all about. But we are not going to
integrate your patch into our master repository for the reasons
mentioned above.

There are a lot of external tools which allow you to check a trust 
chain, among them the strongSwan "pki --verify" command which even
checks the revocation status of the certificate via CRL or OCSP servers.

Best regards

Andreas

On 07.12.2017 17:25, Jafar Al-Gharaibeh wrote:
> Andreas, Tobias,
>
>    I would like to have this functionality, i.e, validating all certs
> even local ones and only use them if they are valid. I can easily do
> this via a script externally and prevent strongSwan from using them by
> stashing them in a non standard location for example. But I would rather
> do it properly through strongSwan if possible. Is there anything that
> would make no a good idea or a technical reason that would make this
> hard to do?  If the answer is no, then I will work on a patch to do
> this. Please let me know.
>
> Thanks,
>
> Jafar
>
>     -------- Forwarded Message --------
>
> Subject: 	Re: [strongSwan] Validating Local Host Own Certificate
> Date: 	Thu, 7 Dec 2017 08:37:34 +0100
> From: 	Andreas Steffen <andreas.steffen at strongswan.org>
> To: 	Jafar Al-Gharaibeh <jafar at atcorp.com>, users at lists.strongswan.org
>
>
>
> Hi Jafar,
>
> locally loaded certificates are always trusted.
>
> Regards
>
> Andreas
>
> On 07.12.2017 07:44, Jafar Al-Gharaibeh wrote:
>> Hi,
>>
>>     I have noticed that when configuring the local certificate in a
>> connection via :
>>
>>     leftcert=cert.pem
>>
>>    The certificate is loaded and trusted without validating it through
>> CA/trust-chains. Is this behavior documented anywhere? digging through
>> documentation I only found old email references  to this. Is this the
>> expected behavior? Is there a way to force one's own certificate
>> validation when loaded/used? i.e/ cert.pem above has to be validated
>> through a CA tustchain.
>>
>> Thanks,
>> Jafar
>
> --
> ======================================================================
> Andreas Steffenandreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!www.strongswan.org
> Institute for Networked Solutions
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4150 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171207/3f2a6baa/attachment.bin>

More information about the Users mailing list