Issue #2099
charon.cert_id_binding patch for new versions
Description
I'm looking for the patch that adds "charon.cert_id_binding" option, that will work for newer release of strongSwan (5.5.0)
Found this https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7f03c277 but it seems very outdated.
I realize this was not put upstream due to the inherit security implications, but we need this for internal testing (would really save us a lot of headache).
Any chance there's a fresh patch for this ?
Related issues
History
#1 Updated by Tobias Brunner about 9 years ago
- Status changed from New to Feedback
You should really not use this patch. Why do you think you need it?
#2 Updated by Danny Kulchinsky about 9 years ago
Tobias Brunner wrote:
You should really not use this patch. Why do you think you need it?
Quite a strange situations, but we have devices (clients) that use a certificate with a DN subject "X" however later send the value "Y" in IDr of IKE AUTH.
The above works with another Security Gateway that we have (which I know is problematic), but we need to do some tests with these devices connected to strongSwan, now since we cannot change the certificate in the Devices and we cannot set leftid on strongSwan to both "X" and "Y", strongSwan fails to find the matching peer configuration.
Unfortunately, these are also devices configured to not use EAP-Only...
Any ideas ?
#3 Updated by Tobias Brunner about 9 years ago
Quite a strange situations, but we have devices (clients) that use a certificate with a DN subject "X" however later send the value "Y" in IDr of IKE AUTH.
I assume you mean IDi (IDr is the responder identity) and I assume further that "Y" is not contained as subjectAltName in these client certificates. If that's the case, this is, in fact, problematic. The config lookup will be done using "Y" as that's what's submitted, but if you configure that and this identity is not contained in the certificate the authentication will fail afterwards. The patches in the cert-id-binding-option branch would allow this, but they basically allow anybody with an accepted certificate to authenticate with an arbitrary accepted identity. I rebased the branch to the current master (only compile-tested), but you should really fix your certificates/configs instead.
#4 Updated by Danny Kulchinsky about 9 years ago
Tobias Brunner wrote:
Quite a strange situations, but we have devices (clients) that use a certificate with a DN subject "X" however later send the value "Y" in IDr of IKE AUTH.
I assume you mean IDi (IDr is the responder identity) and I assume further that "Y" is not contained as subjectAltName in these client certificates. If that's the case, this is, in fact, problematic. The config lookup will be done using "Y" as that's what's submitted, but if you configure that and this identity is not contained in the certificate the authentication will fail afterwards. The patches in the cert-id-binding-option branch would allow this, but they basically allow anybody with an accepted certificate to authenticate with an arbitrary accepted identity. I rebased the branch to the current master (only compile-tested), but you should really fix your certificates/configs instead.
Thank you Tobias, will give it a go.
We are working on fixing the certificates... but as you probably know, it's a painful process (can't wait for all the devices to switch to EAP-Only :))
#5 Updated by Tobias Brunner over 8 years ago
- Related to Issue #2110: Remote Identity (IDr) in IKE AUTH Response is sent as hex-encoded binary value instead of text when setting leftid to type KEY_ID (leftid=@#xxxxxxx) added
#6 Updated by Noel Kuntze over 8 years ago
- Status changed from Feedback to Closed
- Resolution set to No feedback