Bug #172
Support X509 certificates without CA basic constraints
| Status: | Closed | Start date: | 28.01.2012 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: | Tobias Brunner | % Done: | 0% |
|
| Category: | charon | |||
| Target version: | 4.6.2 | |||
| Affected version: | 4.6.1 | Resolution: |
Description
charon fails to load X509 CA certificates without CA basic constraints. Here is patch that adds this functionality.
History
Updated by Tobias Brunner 4 months ago
- Status changed from New to Feedback
- Priority changed from Normal to Low
The problem with this is that it enables any user with a valid client certificate to issue arbitrary certificates, hence, allowing them to perform man-in-the-middle attacks.
Therefore, this patch won't make it into any strongSwan release.
Updated by Nikolay bryskin 4 months ago
I agree that my patch is too permissive, but I'm using it because of http://www.tbs-x509.com/GTECyberTrustGlobalRoot2018.crt that is version 1 X509 and hasn't any extensions, including basic constraints. My be we should check for certificate version before checking CA constraints?
Updated by Tobias Brunner 4 months ago
- File ignore_missing_ca_basic_constraint.patch added
- Category set to charon
- Assignee set to Tobias Brunner
I see. It seems there are a few older CA root certificates without basic constraint still in use (on my Ubuntu system I got over 20 of them).
Would the attached patch work for you? It allows to force the stroke plugin (charon.plugins.stroke.ignore_missing_ca_basic_constraint in strongswan.conf) to treat certificates in /etc/ipsec.d/cacert and listed in ipsec.conf ca sections as CA certificates even if they lack a CA basic constraint.
Updated by Martin Willi 4 months ago
Looks fine to me.
I think we could even avoid set_flags() by passing the flag to the builder (BUILD_X509_FLAG).
Updated by Tobias Brunner 4 months ago
- Target version set to 4.6.2
I think we could even avoid set_flags() by passing the flag to the builder (BUILD_X509_FLAG).
Yep. Changed the patch and committed it to master (see 9ec66bc).
Updated by Tobias Brunner 3 months ago
- Status changed from Feedback to Closed