https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162016-02-06T05:08:33ZpfSense bugtrackerpfSense - Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1https://redmine.pfsense.org/issues/4991?journal_id=249952016-02-06T05:08:33ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Category</strong> set to <i>IPsec</i></li></ul> pfSense - Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1https://redmine.pfsense.org/issues/4991?journal_id=428872019-11-13T23:23:50ZViktor Gurov
<ul></ul><p>can be closed</p>
<p>currently pfSense support ECDSA. see <a class="external" href="https://redmine.pfsense.org/issues/9843">https://redmine.pfsense.org/issues/9843</a></p> pfSense - Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1https://redmine.pfsense.org/issues/4991?journal_id=428892019-11-14T08:09:30ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul><p>While support for ECDSA certificates is in 2.5.0, it needs tested with IPsec specifically to ensure it works.</p>
<p>Also, if it does work (which the strongSwan docs suggest it should), then it's probably time to finally rename any IPsec Certificate-based authentication methods using "RSA" to something more generic:</p>
<p>For example, changing this:<br /><pre>
$p1_authentication_methods = array(
'hybrid_rsa_server' => array('name' => gettext('Hybrid RSA + Xauth'), 'mobile' => true),
'xauth_rsa_server' => array('name' => gettext('Mutual RSA + Xauth'), 'mobile' => true),
'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
'rsasig' => array('name' => gettext('Mutual RSA'), 'mobile' => false),
'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);
</pre></p>
<p>Into this:<br /><pre>
$p1_authentication_methods = array(
'hybrid_cert_server' => array('name' => gettext('Hybrid Certificate + Xauth'), 'mobile' => true),
'xauth_cert_server' => array('name' => gettext('Mutual Certificate + Xauth'), 'mobile' => true),
'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
'cert' => array('name' => gettext('Mutual Certificate'), 'mobile' => false),
'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);
</pre></p>
<p>With upgrade code to adjust existing values.</p>
<p>Also, judging by the strongSwan and other docs, IPsec only supports a few curves with IKEv2 (and apparently only IKEv2): <code>prime256v1</code>, <code>secp384r1</code>, and <code>secp521r1</code>. This warrants input validation after testing to ensure that a compatible combination of options has been chosen.</p> pfSense - Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1https://redmine.pfsense.org/issues/4991?journal_id=428962019-11-14T13:10:40ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>ECDSA keys do work with IPsec, but the OP is right that the key type in ipsec.secrets is incorrect. It needs a fix there to detect the key type. I will commit a fix along with other related fixes I have coming. Additionally, though the documentation only states ECDSA works with IKEv2, it also works with IKEv1 in strongSwan.</p> pfSense - Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1https://redmine.pfsense.org/issues/4991?journal_id=428992019-11-14T15:05:06ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="GUI improvements for ECDSA certificate handling * Make central functions to check and test ECDSA..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/cffcf9bfaa1a054917d3427cbc7885b97db8902c">cffcf9bfaa1a054917d3427cbc7885b97db8902c</a>.</p> pfSense - Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1https://redmine.pfsense.org/issues/4991?journal_id=429192019-11-15T15:13:27ZJim Pingle
<ul></ul><p>I split the task of renaming the options/fixing the backend code to change from "RSA" to "Certificate" into a new issue: <a class="issue tracker-4 status-3 priority-4 priority-default closed" title="Todo: Rename IPsec "RSA" options to more generic "Certificate" options (Resolved)" href="https://redmine.pfsense.org/issues/9903">#9903</a></p>
<p>So this issue is now only for testing ECDSA certificates with IPsec and ensuring that certificates with incompatible curves are hidden from the certificate list.</p> pfSense - Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1https://redmine.pfsense.org/issues/4991?journal_id=440932020-01-08T09:49:26ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Works fine now</p>