[strongSwan] Fwd: Re: Validating Local Host Own Certificate
Jafar Al-Gharaibeh
jafar at atcorp.com
Thu Dec 7 18:22:06 CET 2017
To make this even more obvious, the name of such config item should
refer to "local" as :
"StrictLocalCert=yes" or "EnforceValidLocalCert=yes"
On 12/7/2017 11:17 AM, Jafar Al-Gharaibeh wrote:
> Hi Andreas,
>
> I agree with you completely. I wasn't suggesting to change the
> default behavior, sorry I didn't make that clear. I was thinking of
> adding a new connection configuration item like "StrictCert=yes" or
> "EnforceValidCert=yes" to achieve the new behavior. The default for
> such a new config would be still be no.
>
> Kind Regards,
> Jafar
>
>
> On 12/7/2017 10:47 AM, Andreas Steffen wrote:
>> Hi Jafar,
>>
>> I don't see any sense in strongSwan verifying local certificates.
>> At the extreme people are using self-signed certificates where there
>> is no trust chain at all both for the local and the remote end.
>> In that case trust has to be established over out-of-band channels.
>>
>> You are free to patch strongSwan to add the desired functionality.
>> This is what open source software is all about. But we are not going to
>> integrate your patch into our master repository for the reasons
>> mentioned above.
>>
>> There are a lot of external tools which allow you to check a trust
>> chain, among them the strongSwan "pki --verify" command which even
>> checks the revocation status of the certificate via CRL or OCSP servers.
>>
>> Best regards
>>
>> Andreas
>>
>> On 07.12.2017 17:25, Jafar Al-Gharaibeh wrote:
>>> Andreas, Tobias,
>>>
>>> I would like to have this functionality, i.e, validating all certs
>>> even local ones and only use them if they are valid. I can easily do
>>> this via a script externally and prevent strongSwan from using them by
>>> stashing them in a non standard location for example. But I would
>>> rather
>>> do it properly through strongSwan if possible. Is there anything that
>>> would make no a good idea or a technical reason that would make this
>>> hard to do? If the answer is no, then I will work on a patch to do
>>> this. Please let me know.
>>>
>>> Thanks,
>>>
>>> Jafar
>>>
>>> -------- Forwarded Message --------
>>>
>>> Subject: Re: [strongSwan] Validating Local Host Own Certificate
>>> Date: Thu, 7 Dec 2017 08:37:34 +0100
>>> From: Andreas Steffen <andreas.steffen at strongswan.org>
>>> To: Jafar Al-Gharaibeh <jafar at atcorp.com>,
>>> users at lists.strongswan.org
>>>
>>>
>>>
>>> Hi Jafar,
>>>
>>> locally loaded certificates are always trusted.
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 07.12.2017 07:44, Jafar Al-Gharaibeh wrote:
>>>> Hi,
>>>>
>>>> I have noticed that when configuring the local certificate in a
>>>> connection via :
>>>>
>>>> leftcert=cert.pem
>>>>
>>>> The certificate is loaded and trusted without validating it through
>>>> CA/trust-chains. Is this behavior documented anywhere? digging through
>>>> documentation I only found old email references to this. Is this the
>>>> expected behavior? Is there a way to force one's own certificate
>>>> validation when loaded/used? i.e/ cert.pem above has to be validated
>>>> through a CA tustchain.
>>>>
>>>> Thanks,
>>>> Jafar
>>>
>>> --
>>> ======================================================================
>>> Andreas Steffenandreas.steffen at strongswan.org
>>> strongSwan - the Open Source VPN Solution!www.strongswan.org
>>> Institute for Networked Solutions
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[INS-HSR]==
>>>
>>
>
>
More information about the Users
mailing list