> On Dec 5, 2018, at 16:49, Jakob Bohm via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > > Another question of relevance: > > Does the applicable VPN hardware and software (Cisco VPN servers and > compatible VPN clients) work with certificates that omit all the TLS- > related EKUs, thus allowing future VPN certificates to fall outside the > BRs ?
Speaking as an IKE/IPsec implementer. Usually X509 is validated using standard libraries that only think of the TLS usage. So most certificates for VPN usage still add EKUs like serverAuth or clientAuth, or there will be interop problems. Our implementation uses NSS which only weeks ago implemented IPsec profiles that causes non-empty EKU’s that miss serverAuth and clientAuth to validate correctly for IPsec. In other words, “no” is the answer to your question for the generic case. If Cisco VPN servers only need to talk to Cisco VPN clients, then maybe their implemention could do its Another issue is that some provisions webgui’s for IPsec use the VPN gateway’s TLS server, usually using the same certificate. Especially if also supporting other VPN protocols such as openvpn or anyconnect/openconnect. So those would really need serverAuth. Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
