[strongSwan] how to send/request the intermediate CAs?

Harald Dunkel harald.dunkel at aixigo.de
Tue Feb 27 14:31:35 CET 2018


Hi Tobias,

On 02/26/18 09:28, Tobias Brunner wrote:
> Hi Harri,
> 
>>>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
>>>> would help, but apparently it doesn't.
>>>
>>> strongSwan reads only the first certificate from PEM encoded files.  So
>>> put them in separate files.
>>>
>>
>> This is unusual, is it?
> 
> What is?
> 

AFAICT its unusual, that the other certificates a chain file
are ignored. In most cases they have been added on purpose,
e.g. to simplify the deployment of certificate files, it is the
regular output of openssl pkcs12 -cacerts ..., etc. IMHO its
unexpected, that they are silently ignored. But maybe I don't
see the downside of these chain files.

>> If I do, will charon send or request the whole chain?
> 
> Depends on the settings (send_certreq, send_cert in swanctl.conf,
> left|rightsendcert in ipsec.conf).  With the default settings the client
> will send certificate requests for all trusted CA certificates it has
> loaded (root or intermediate), or if a CA is assigned in the config only
> for that CA. 

Understood (hopefully). I would assume that if leftsendcert is set
to "always", then charon will push the certificates to the
peer without having received a request. But what about "never"?
How is authentication supposed to happen in this case? (Sorry for
asking, but its not documented in the Wiki, AFAICS.)

> As responder, if any certificate requests are received (no
> matter for what CA) the end entity certificate along with the
> intermediate CA certificates will be sent to the client.
> 

Thats the part I would like to see in charon's log file.
Some basic certificate info should show up, for each certificate,
as it is sent or received. Subject, issuers and KeyIDs should do.
Maybe the notBefore and notAfter entries as well, to spot
expired certificates.

I understand that this option might severely impact performance.
Surely not a default log setting.


I highly appreciate your work on Strongswan.

Regards
Harri


More information about the Users mailing list