Bug #172
Support X509 certificates without CA basic constraints
Description
charon fails to load X509 CA certificates without CA basic constraints. Here is patch that adds this functionality.
History
#1 Updated by Tobias Brunner over 8 years ago
- Status changed from New to Feedback
- Priority changed from Normal to Low
The problem with this is that it enables any user with a valid client certificate to issue arbitrary certificates, hence, allowing them to perform man-in-the-middle attacks.
Therefore, this patch won't make it into any strongSwan release.
#2 Updated by Nikolay bryskin over 8 years ago
I agree that my patch is too permissive, but I'm using it because of http://www.tbs-x509.com/GTECyberTrustGlobalRoot2018.crt that is version 1 X509 and hasn't any extensions, including basic constraints. My be we should check for certificate version before checking CA constraints?
#3 Updated by Tobias Brunner over 8 years ago
- File ignore_missing_ca_basic_constraint.patch ignore_missing_ca_basic_constraint.patch added
- Category set to charon
- Assignee set to Tobias Brunner
I see. It seems there are a few older CA root certificates without basic constraint still in use (on my Ubuntu system I got over 20 of them).
Would the attached patch work for you? It allows to force the stroke plugin (charon.plugins.stroke.ignore_missing_ca_basic_constraint in strongswan.conf) to treat certificates in /etc/ipsec.d/cacert and listed in ipsec.conf ca sections as CA certificates even if they lack a CA basic constraint.
#4 Updated by Martin Willi over 8 years ago
Looks fine to me.
I think we could even avoid set_flags() by passing the flag to the builder (BUILD_X509_FLAG).
#5 Updated by Tobias Brunner over 8 years ago
- Target version set to 4.6.2
I think we could even avoid set_flags() by passing the flag to the builder (BUILD_X509_FLAG).
Yep. Changed the patch and committed it to master (see 9ec66bc).
#6 Updated by Tobias Brunner over 8 years ago
- Status changed from Feedback to Closed