Hi All, We have a question here concerning verification of the SeGW's certificate by the local tunnel initiator.
We configure our initiator with the FQDN of the SeGW. The initiator resolves this FQDN to an IP address and then sends the tunnel setup requests to that IP address with the IDr set to the FQDN. The SeGW eventually responds, in an IKE_AUTH, with it's certificate. The initiator then verifies that certificate. Now, it is this verification we'd like some insight into. Obviously, the certificate is checked against the remote end's Root CA that the initiator has a copy of. What we'd like to know, if anyone can throw any light on the subject (pun intended), is the additional checking that takes place. Does strongSwan (on the initiator) check that the original FQDN/IDr is also in the certificate ? If the certificate has only a "subject" and no "subjectAltName", does strongSwan check that the IDr matches the CN specified in the "subject" of the certificate ? If the certificate has both a "subject" and "subjectAltName", does strongSwan check that the IDr matches EITHER the CN specified in the "subject" OR one of the multiple "subjectAltName" entries ? A customer of ours is convinced that if both a "subject" and one (or more) "subjectAltName" are present, the initiator must check that the IDr matches (one of) the "subjectAltName" entries AND must also check that the IDr does NOT match the "subject"'s CN. I would have thought that as long as the IDr matches EITHER one of the "subjectAltName" entries OR the "subject"'s CN, then the check has passed. Hope this makes sense. Regards, Graham.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users