Project

General

Profile

Feature #2904

Add checkbox or default option for "verify_identifier on;" on IPsec RSA VPNs

Added by Jorge Albarenque over 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
03/24/2013
Due date:
% Done:

100%

Estimated time:

Description

The ASN1DN field on the "peers_identifier" option within racoon.conf can be used to specify which certificate or set of certificates should be allowed to connect. Anyway, for this to take effect, there's an additional option required on the racoon.conf file:

verify_identifier on;

The default value for this is off. I guess this can be set to always on without harm, and increased security. If the ASN1DN values are left blank, they will be taken and verified from the certificates themselves. If you specify an ASN1DN manually, it will be used for verification.

In case I am missing something else that might break by adding this as a default option, a checkbox to enable it will be great.

Check my post about the topic and the racoon.conf man page for more info.

Thanks!

Associated revisions

Revision 6d0f5a63 (diff)
Added by Renato Botelho over 5 years ago

Add an option to verify peers_identifier when it's ASN.1 distinguished name. It should fix #2904

History

#1 Updated by Doktor Notor over 5 years ago

Guys, this is NOT a feature request, this is a major security issue! Can someone finally fix this?

https://forum.pfsense.org/index.php/topic,65002.0.html

#2 Updated by Renato Botelho over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Doktor Notor over 5 years ago

Yay! Excellent, works just fine.

#4 Updated by Renato Botelho over 5 years ago

  • Status changed from Feedback to Resolved

#5 Updated by Renato Botelho over 5 years ago

  • Category set to IPsec
  • Target version set to 2.1.1
  • Affected Version set to 2.1

Also available in: Atom PDF