> On Jul 30, 2024, at 20:34, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2024/07/30 20:19, J Doe wrote: >>> On 2024-07-30 19:39, Stuart Henderson wrote: >>> >>> On 2024-07-30, J Doe <gene...@nativemethods.com> wrote: >>>> As a result with continuing to experiment with my configuration, I ran >>>> into a new issue. I followed the instructions in the OpenBSD FAQ[0] for >>>> an X.509 configuration - in particular the following (with hostnames for >>>> my server and Mac): >>>> >>>> server1# ikectl ca vpn certificate client1.domain create >>>> server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/ >>>> server1# ikectl ca vpn certificate client1.domain export >>> >>> BTW this is a shortcut that ikectl implements to make things easy, >>> although it does mean that the client's "private" key actually ends >>> up on the server. >>> >>> The traditional way of doing this is exactly like an X509 cert for a >>> web server, i.e. the client generates a private key and cert signing >>> request, the key is never transferred off the machine, only the CSR >>> which is taken to the CA. The CA then uses that to produce a cert >>> which is signed by the CA and sent back. >>> >>> See the X.509 AUTHENTICATION section in isakmpd(8) for some gory >>> details which are mostly hidden if you use "ikectl ca". >>> >>>> server1# tar -C /tmp -xzf client1.domain.tgz *pfx >>>> server1# cp /tmp/export/client1.domain.pfx \ >>>> /var/www/htdocs/client1.domain.pfx >>>> >>>> ...so on my OpenBSD server I have the client's X.509 certificate and the >>>> CA certificate at: /etc/iked/certs. >>>> >>>> I then removed the _client_ certificate from this location on the server >>>> and attempted connecting from the Mac and it authenticated. >>>> >>>> My new question is - shouldn't the server reject a X.509 authentication >>>> attempt if the _client_ certificate is not on the server ? >>> >>> No, that's not how it is expected to work, you don't need the client cert >>> on the server, just a way to validate that it's correct (by checking the >>> CA's signature and, IIUC, checking the subjectAltName against srcid). >> >> >> Hi Stuart, >> >> Thanks for your reply. >> >> Ok, I will make a note to read through the X.509 AUTHENTICATION section >> in: man 8 isakmpd. >> >> In regards to your last paragraph, where you state: >> >> "... just a way to validate that it's correct (by checking the CA's >> signature ..." >> >> ... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the >> _server_ that the client should _not_ be able to authenticate, or is >> validating the CA's signature not dependent on that ? > > As far as I know that's correct, I don't think there's anywhere else > that it should be picking up the CA cert from.
Hi, Interesting. I moved the: ca.crt file from: /etc/iked/ca on the server to the home directory and re-started iked and the client is still able to authenticate. Is it possible that iked can authenticate the client based on the server certificate ? In my iked.conf configuration it is specified via: srcid server.home.arpa … and the server certificate: server.home.arpa.crt is stored in: /etc/iked/certs on the server. Is it possible that the: ca.crt is bundled in there and that is what it is using in the absence of: /etc/iked/ca/ca.crt ? Thanks again, - J
