Feature #391
Updated by Tobias Brunner about 12 years ago
Add DNSSEC protected CERT RR delivered certificate authentication.
New dnscert plugin is based on ipseckey plugin and reuses most of its code
in particular plugin and credential enumerator part.
Plugin relies on existing PEM decoder as well as x509 and PGP parsers. As
such plugin expects PEM encoded PKIX(x509) or PGP(GPG) certificate payload.
Certificate's pubkey algorithms are currently restricted to RSA family,
although it's not a hard restriction since strongswan is capable handling ECC
certificates. ECC can be fed using algorithm 0(Undefined) if required.
The plugin is targeted to improve interoperability with Racoon, which supports
this type of authetication, ignoring in-stream certificates and using only DNS
provided certificates for FQDN ID.
<pre>
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[ENC] parsed ID_PROT response 0 [ ID SIG ]
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[CFG] performing a DNS query for DNSCERT RRs of 'sun.example.com'
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[CFG] using trusted certificate "C=CT, ST=City, O=Home, CN=sun.example.com, E=root@example.com"
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] authentication of 'sun.example.com' with RSA successful
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] IKE_SA vex[1] established between 192.168.1.4[alice.example.com]...10.1.2.3[sun.example.com]
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] IKE_SA vex[1] established between 192.168.1.4[alice.example.com]...10.1.2.3[sun.example.com]
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] scheduling reauthentication in 9854s
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] maximum IKE_SA lifetime 10394s
</pre>
New dnscert plugin is based on ipseckey plugin and reuses most of its code
in particular plugin and credential enumerator part.
Plugin relies on existing PEM decoder as well as x509 and PGP parsers. As
such plugin expects PEM encoded PKIX(x509) or PGP(GPG) certificate payload.
Certificate's pubkey algorithms are currently restricted to RSA family,
although it's not a hard restriction since strongswan is capable handling ECC
certificates. ECC can be fed using algorithm 0(Undefined) if required.
The plugin is targeted to improve interoperability with Racoon, which supports
this type of authetication, ignoring in-stream certificates and using only DNS
provided certificates for FQDN ID.
<pre>
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[ENC] parsed ID_PROT response 0 [ ID SIG ]
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[CFG] performing a DNS query for DNSCERT RRs of 'sun.example.com'
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[CFG] using trusted certificate "C=CT, ST=City, O=Home, CN=sun.example.com, E=root@example.com"
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] authentication of 'sun.example.com' with RSA successful
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] IKE_SA vex[1] established between 192.168.1.4[alice.example.com]...10.1.2.3[sun.example.com]
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] IKE_SA vex[1] established between 192.168.1.4[alice.example.com]...10.1.2.3[sun.example.com]
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] scheduling reauthentication in 9854s
Aug 28 19:22:27 mo.ruff.mobi charon[32403]: 12[IKE] maximum IKE_SA lifetime 10394s
</pre>