Project

General

Profile

Hash and URL

This how-to guide will show you how to configure the hash and URL feature supported by IKEv2. In this
guide I will use entities known from our UML framework.

1. Introduction

To avoid UDP datagrams being fragmented, IKEv2 supports the hash and URL encoding of X.509 certificates.
So, instead of transmitting the binary DER encoded certificates in the IKE_AUTH exchange, only a hash and
an URL of each certificate is submitted. This URL has to resolve to the DER encoded certificate and
the hash is a SHA1 hash of that data.

The IKEv2 daemon charon supports both - sending and receiving - of certificates encoded in this manner.
Receiving such payloads requires no special configuration from the user (except enabling the feature, see
next section) it is therefore not specifically covered in this guide.

Overview

In this guide, we want to configure a connection between carol and moon with winnetou
serving the certificates. Both peers have certificates issued by the strongSwan CA.

2. Enabling Hash and URL

Note: Since there are some security concerns about accepting URLs supplied by unauthenticated peers
and then blindly download whatever there may be, hash and URL is currently disabled by default.

To enable hash and URL support in charon you have to enable the following option in strongswan.conf.

charon {
  hash_and_url = yes
}

3. Configuring the Base URL

The URLs that will be sent by carol and moon are built by appending the SHA1 hash of the DER
encoded certificate to a base URL configured in the CA section of the file ipsec.conf.
The option is certuribase and it has to be added to the ca section of the CA that issued the certificate
we want to send as hash and URL.

Note: a peer that sends its certificates as hash and URL still has to have these certificates locally available.

On carol the required CA section might look like this (likewise on moon):

ca strongswan
  cacert=strongswanCert.pem
  certuribase=http://winnetou.strongswan.org/certs/
  auto=add

The URLs will then be built by concatenating the value of certuribase and the SHA1 hash of the DER encoded
certificate (you will see an example later on).

4. Preparing the Certificates

Next, the certificates have to be prepared and uploaded to the web server winnetou. The certificates
provided as example in the UML framework are PEM encoded. So we first have to convert them to DER encoding.
Using openssl this is as simple as:

openssl x509 -in carolCert.pem -inform PEM -out carolCert.der -outform DER

As mentioned above the URL is just the base URL plus the SHA1 hash of the certificate data. To get the hash
we can once again use openssl:

openssl dgst -sha1 carolCert.der

Which gives us 394ceefaef48af8394d9a0e63d74cc56a4117a23. All we now have to do is rename the file carolCert.der
to that hash and place that file in the web root of our web server winnetou.

5. Finished

In this example, carol should now be able to send her certificate as hash and URL and moon should then be able
to fetch it from http://winnetou.strongswan.org/certs/394ceefaef48af8394d9a0e63d74cc56a4117a23

That's it ;-)