[strongSwan] Fwd: Re: Validating Local Host Own Certificate

Jafar Al-Gharaibeh jafar at atcorp.com
Thu Dec 7 18:17:10 CET 2017

Hi Andreas,

    I agree with you completely.  I wasn't suggesting to change the 
default behavior, sorry I didn't make that clear. I was thinking of 
adding a new connection configuration item like "StrictCert=yes" or 
"EnforceValidCert=yes" to achieve the new behavior. The default for such 
a new config would be still be no.

Kind Regards,

On 12/7/2017 10:47 AM, Andreas Steffen wrote:
> Hi Jafar,
> I don't see any sense in strongSwan verifying local certificates.
> At the extreme people are using self-signed certificates where there
> is no trust chain at all both for the local and the remote end.
> In that case trust has to be established over out-of-band channels.
> You are free to patch strongSwan to add the desired functionality.
> This is what open source software is all about. But we are not going to
> integrate your patch into our master repository for the reasons
> mentioned above.
> There are a lot of external tools which allow you to check a trust 
> chain, among them the strongSwan "pki --verify" command which even
> checks the revocation status of the certificate via CRL or OCSP servers.
> Best regards
> Andreas
> On 07.12.2017 17:25, Jafar Al-Gharaibeh wrote:
>> Andreas, Tobias,
>>    I would like to have this functionality, i.e, validating all certs
>> even local ones and only use them if they are valid. I can easily do
>> this via a script externally and prevent strongSwan from using them by
>> stashing them in a non standard location for example. But I would rather
>> do it properly through strongSwan if possible. Is there anything that
>> would make no a good idea or a technical reason that would make this
>> hard to do?  If the answer is no, then I will work on a patch to do
>> this. Please let me know.
>> Thanks,
>> Jafar
>>     -------- Forwarded Message --------
>> Subject:     Re: [strongSwan] Validating Local Host Own Certificate
>> Date:     Thu, 7 Dec 2017 08:37:34 +0100
>> From:     Andreas Steffen <andreas.steffen at strongswan.org>
>> To:     Jafar Al-Gharaibeh <jafar at atcorp.com>, 
>> users at lists.strongswan.org
>> Hi Jafar,
>> locally loaded certificates are always trusted.
>> Regards
>> Andreas
>> On 07.12.2017 07:44, Jafar Al-Gharaibeh wrote:
>>> Hi,
>>>     I have noticed that when configuring the local certificate in a
>>> connection via :
>>>     leftcert=cert.pem
>>>    The certificate is loaded and trusted without validating it through
>>> CA/trust-chains. Is this behavior documented anywhere? digging through
>>> documentation I only found old email references  to this. Is this the
>>> expected behavior? Is there a way to force one's own certificate
>>> validation when loaded/used? i.e/ cert.pem above has to be validated
>>> through a CA tustchain.
>>> Thanks,
>>> Jafar
>> -- 
>> ======================================================================
>> Andreas Steffenandreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!www.strongswan.org
>> Institute for Networked Solutions
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[INS-HSR]==

More information about the Users mailing list