Hi Karl,
Using the "stroke" interface does not impact this; it appears to be
something changed between 5.9.5 and 5.9.6 and the release notes imply
this is likely the cause:
* The client identity (e.g. the IKE or EAP identity for EAP-TLS) is
again enforced by libtls.
Yes, this was a regression introduced with the TLS 1.3 changes in 5.9.2.
Any version between that and 5.9.6 didn't verify that the client's
identity is confirmed by the certificate (so users could authenticate as
any identity as long as they had a valid and trusted certificate).
And, it appears, Windows is insisting on using the CN when presenting
the identity (instead of the field(s) in the SAN) unless you set the
option on the VPN profile to allow an override -- and then you have to
hand-key it on each connection. I don't believe there is any way to
tell Windows to use the SAN identity or identities on its own.
Yes, as documented on [1], the Windows client uses the CN value as EAP
identity with EAP-TLS (i.e. user certificates). I didn't know this can
actually be changed, so that might be something we could add to the
docs. Could you provide details on this? Anyway, without explicit
changes on the client, this only works if the certificate contains a
matching SAN.
The problem is that the EAP identity does not contain a type, so unless
the data is ASN.1 (e.g. a full binary DN), the rules at [2] apply when
the identity is parsed. In your case, with
the "CN" of these certs is the full name of the person, not an email address
the SAN would have to be of type dNSName as that's the default fallback
for the parser. Considering that the full name probably contains spaces
that might be a bit weird but it's perfectly legal as dNSName is of type
IA5String, which accepts all ASCII characters, and DNS names may consist
of any 8-bit characters (only to host names apply some further
restrictions).
Regards,
Tobias
[1]
https://docs.strongswan.org/docs/5.9/interop/windowsCertRequirements.html#_client_certificates
[2] https://docs.strongswan.org/docs/5.9/config/identityParsing.html
