Project

General

Profile

Issue #902

Updated by Tobias Brunner over 5 years ago

I am doing hash and url encoding of x509 certificate test with the strongswan running version 5.0.2 on Linux.
The connection profile I am testing is configured with PKI authentication as below.

in ipsec.conf

<pre>
conn rw-pki
left=%any
leftsubnet=0.0.0.0/0
leftcert=strongswan.cer
leftid="CN=strongswan.net"
leftfirewall=yes
right=%any
rightsourceip=x.x.x.x/n
auto=add
reauth=yes
</pre>


The CA setction in ipsec.conf is as below:

<pre>
ca strongswanIm
cacert=Interca.strongswan.cer
certuribase=http://xx.strongswan.xx/certs/
auto=add
</pre>


strongswan.cer is the entity certificate issued by Interca.strongswan.cer.
Interca.strongswan.cer is the intermediate certificate and issued by root ca certificate root.strongswan.cer.

If I put Interca.strongswan.cer in the folder ipsec.d/cacert, strongswan.cer is sent out as hash and url, but intermediate certificate Interca.strongswan.cer is also sent out with complete certificate in the certificate payload of auth response.

If I remove the Interca.strongswan.cer from the folder ipsec.d/cacerts, strongswan sends out strongswan.cer whole certificate instead of hash and url. It will not send out intermediate certificate since it is not there.

So, it looks to me that in the case that intermediate certificate exists, the intermediate certificate need be in the cacerts folder and will be sent out if we want to send hash and url of entity certificate.

Is there any way not to send out intermediate certificate while sending out the hash and url of entity certificate?

Back