Project

General

Profile

Feature #3423

Specify which certificates to send with send_certreq?

Added by Glen Huang 4 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
23.04.2020
Due date:
Estimated time:
Resolution:

Description

When authenticate with certificates in a StrongSwan responder, I have CA certificates that are meant to authenticate initiators and sent to initiators to authenticate responder itself. Enabling send_certreq sends all CA certificates regardless how they are meant to be used.

Is it possible to specify that StrongSwan should only send certificates specified in remote.cacerts, or mark any CA certificate not to be sent in certreq?

History

#1 Updated by Tobias Brunner 4 months ago

  • Status changed from New to Feedback

Note that no CA certificates are actually sent, only SHA-1 hashes.

Is it possible to specify that StrongSwan should only send certificates specified in remote.cacerts

That's theoretically already the case. However, when a responder has to send certificate requests (in the IKE_SA_INIT response) it does not yet have a peer config (which is selected based on the identities). So it can't use that option. Initiators on the other hand will only use configured CA certificates.

mark any CA certificate not to be sent in certreq?

Currently not.

#2 Updated by Glen Huang 4 months ago

Thanks for the quick reply.

I didn't realize config was not yet matched when an initiator tried connect.

However, does that mean that if I have multiple connections, each with their own remote.cacerts, a initiator connecting to any connection is going to receive combined remote.cacerts sha1 values in all connections, since charon at that point doesn't know which connection should be selected?

#3 Updated by Tobias Brunner 4 months ago

However, does that mean that if I have multiple connections, each with their own remote.cacerts, a initiator connecting to any connection is going to receive combined remote.cacerts sha1 values in all connections, since charon at that point doesn't know which connection should be selected?

Again, for a responder, remote.cacert is completely irrelevant as it's not available when required. So a responder will send hashes for all trusted CA certificates that are loaded when generating the IKE_SA_INIT response.

Also available in: Atom PDF