[strongSwan] FreeBSD 12.x .vs. 13.x - change in strongswan as well?

Tobias Brunner tobias at strongswan.org
Mon Oct 17 11:19:00 CEST 2022 

Hi Karl,

> Using the "stroke" interface does not impact this; it appears to be 
> something changed between 5.9.5 and 5.9.6 and the release notes imply 
> this is likely the cause:
> 
>   * The client identity (e.g. the IKE or EAP identity for EAP-TLS) is
>     again enforced by libtls.

Yes, this was a regression introduced with the TLS 1.3 changes in 5.9.2. 
  Any version between that and 5.9.6 didn't verify that the client's 
identity is confirmed by the certificate (so users could authenticate as 
any identity as long as they had a valid and trusted certificate).

> And, it appears, Windows is insisting on using the CN when presenting 
> the identity (instead of the field(s) in the SAN) unless you set the 
> option on the VPN profile to allow an override -- and then you have to 
> hand-key it on each connection.  I don't believe there is any way to 
> tell Windows to use the SAN identity or identities on its own.

Yes, as documented on [1], the Windows client uses the CN value as EAP 
identity with EAP-TLS (i.e. user certificates).  I didn't know this can 
actually be changed, so that might be something we could add to the 
docs.  Could you provide details  on this?  Anyway, without explicit 
changes on the client, this only works if the certificate contains a 
matching SAN.

The problem is that the EAP identity does not contain a type, so unless 
the data is ASN.1 (e.g. a full binary DN), the rules at [2] apply when 
the identity is parsed.  In your case, with

> the "CN" of these certs is the full name of the person, not an email address

the SAN would have to be of type dNSName as that's the default fallback 
for the parser.  Considering that the full name probably contains spaces 
that might be a bit weird but it's perfectly legal as dNSName is of type 
IA5String, which accepts all ASCII characters, and DNS names may consist 
of any 8-bit characters (only to host names apply some further 
restrictions).

Regards,
Tobias

[1] 
https://docs.strongswan.org/docs/5.9/interop/windowsCertRequirements.html#_client_certificates
[2] https://docs.strongswan.org/docs/5.9/config/identityParsing.html

More information about the Users mailing list