[strongSwan] Strongswan 5.6.1 X509 certificate validation
Tobias Brunner
tobias at strongswan.org
Mon Aug 30 17:48:25 CEST 2021
Hi Philip,
> The Ubuntu strongSwan 5.6.1 base application I am working with validates
> certificates wth CRLs using OpenSSL before installing all certs and CRLs
> via a VICI interface.
>
> ·I am surprised to see this code as I thought it would be part of
> strongSwan certification validation.
>
> ·I have not yet found any words that describe what certificate
> validation is performed by strongSwan.
>
> Please point me at the words that describe how strongSwan validates
> certificates against ICA and CA certificates, and also CRLs.
Locally loaded certificates are never checked against CRLs or via OCSP.
That only happens for certificates received from peers and requires
the revocation plugin and a fetcher plugin (e.g. curl), and for OCSP,
the x509 plugin is required too.
A trust chain is built for local certificates if the corresponding CA
certificates are available, but that's only done to determine the
intermediate CA certificates that might have to be sent to peers. An
invalid or incomplete trust chain for local certificates won't result in
an immediate failure (authentication might still fail on the peer if
intermediate CA certificates are not sent, or certificates have expired
or were revoked).
So if you want to make absolutely certain that the locally installed
certificates are valid, you might need such an external validation
before installing them. Instead of using OpenSSL this could also be
done via `pki --verify` if it's available [1] (the `--online` option
requires the same plugins I mentioned above).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiVerify
More information about the Users
mailing list