To make this even more obvious, the name of such config item should
refer to "local" as :
"StrictLocalCert=yes" or "EnforceValidLocalCert=yes"
On 12/7/2017 11:17 AM, Jafar Al-Gharaibeh wrote:
Hi Andreas,
I agree with you completely. I wasn't suggesting to change the
default behavior, sorry I didn't make that clear. I was thinking of
adding a new connection configuration item like "StrictCert=yes" or
"EnforceValidCert=yes" to achieve the new behavior. The default for
such a new config would be still be no.
Kind Regards,
Jafar
On 12/7/2017 10:47 AM, Andreas Steffen wrote:
Hi Jafar,
I don't see any sense in strongSwan verifying local certificates.
At the extreme people are using self-signed certificates where there
is no trust chain at all both for the local and the remote end.
In that case trust has to be established over out-of-band channels.
You are free to patch strongSwan to add the desired functionality.
This is what open source software is all about. But we are not going to
integrate your patch into our master repository for the reasons
mentioned above.
There are a lot of external tools which allow you to check a trust
chain, among them the strongSwan "pki --verify" command which even
checks the revocation status of the certificate via CRL or OCSP servers.
Best regards
Andreas
On 07.12.2017 17:25, Jafar Al-Gharaibeh wrote:
Andreas, Tobias,
I would like to have this functionality, i.e, validating all certs
even local ones and only use them if they are valid. I can easily do
this via a script externally and prevent strongSwan from using them by
stashing them in a non standard location for example. But I would
rather
do it properly through strongSwan if possible. Is there anything that
would make no a good idea or a technical reason that would make this
hard to do? If the answer is no, then I will work on a patch to do
this. Please let me know.
Thanks,
Jafar
-------- Forwarded Message --------
Subject: Re: [strongSwan] Validating Local Host Own Certificate
Date: Thu, 7 Dec 2017 08:37:34 +0100
From: Andreas Steffen <andreas.stef...@strongswan.org>
To: Jafar Al-Gharaibeh <ja...@atcorp.com>,
users@lists.strongswan.org
Hi Jafar,
locally loaded certificates are always trusted.
Regards
Andreas
On 07.12.2017 07:44, Jafar Al-Gharaibeh wrote:
Hi,
I have noticed that when configuring the local certificate in a
connection via :
leftcert=cert.pem
The certificate is loaded and trusted without validating it through
CA/trust-chains. Is this behavior documented anywhere? digging through
documentation I only found old email references to this. Is this the
expected behavior? Is there a way to force one's own certificate
validation when loaded/used? i.e/ cert.pem above has to be validated
through a CA tustchain.
Thanks,
Jafar
--
======================================================================
Andreas steffenandreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
