[strongSwan] Strongswan 5.6.1 X509 certificate validation

Tobias Brunner tobias at strongswan.org
Mon Aug 30 17:48:25 CEST 2021

Hi Philip,

> The Ubuntu strongSwan 5.6.1 base application I am working with validates 
> certificates wth CRLs using OpenSSL before installing all certs and CRLs 
>   via a VICI interface.
> ·I am surprised to see this code as I thought it would be part of 
> strongSwan certification validation.
> ·I have not yet found any words that describe what certificate 
> validation is performed by strongSwan.
> Please point me at the words that describe how strongSwan validates 
> certificates against ICA and CA certificates, and also CRLs.

Locally loaded certificates are never checked against CRLs or via OCSP. 
  That only happens for certificates received from peers and requires 
the revocation plugin and a fetcher plugin (e.g. curl), and for OCSP, 
the x509 plugin is required too.

A trust chain is built for local certificates if the corresponding CA 
certificates are available, but that's only done to determine the 
intermediate CA certificates that might have to be sent to peers.  An 
invalid or incomplete trust chain for local certificates won't result in 
an immediate failure (authentication might still fail on the peer if 
intermediate CA certificates are not sent, or certificates have expired 
or were revoked).

So if you want to make absolutely certain that the locally installed 
certificates are valid, you might need such an external validation 
before installing them.  Instead of using OpenSSL this could also be 
done via `pki --verify` if it's available [1] (the `--online` option 
requires the same plugins I mentioned above).


[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiVerify

More information about the Users mailing list