Support X509 certificates without CA basic constraints
charon fails to load X509 CA certificates without CA basic constraints. Here is patch that adds this functionality.
#1 Updated by Tobias Brunner over 8 years ago
- Status changed from New to Feedback
- Priority changed from Normal to Low
The problem with this is that it enables any user with a valid client certificate to issue arbitrary certificates, hence, allowing them to perform man-in-the-middle attacks.
Therefore, this patch won't make it into any strongSwan release.
#2 Updated by Nikolay bryskin over 8 years ago
I agree that my patch is too permissive, but I'm using it because of http://www.tbs-x509.com/GTECyberTrustGlobalRoot2018.crt that is version 1 X509 and hasn't any extensions, including basic constraints. My be we should check for certificate version before checking CA constraints?
#3 Updated by Tobias Brunner over 8 years ago
- File ignore_missing_ca_basic_constraint.patch ignore_missing_ca_basic_constraint.patch added
- Category set to charon
- Assignee set to Tobias Brunner
I see. It seems there are a few older CA root certificates without basic constraint still in use (on my Ubuntu system I got over 20 of them).
Would the attached patch work for you? It allows to force the stroke plugin (charon.plugins.stroke.ignore_missing_ca_basic_constraint in strongswan.conf) to treat certificates in /etc/ipsec.d/cacert and listed in ipsec.conf ca sections as CA certificates even if they lack a CA basic constraint.