Bug #5323


My Certificate Authority is displayed/saved for authentication methods where it is not needed

Added by Matthew Smith almost 8 years ago. Updated almost 8 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


On the IPSec phase 1 settings page (vpn_ipsec_phase1.php), the field "My Certificate Authority" is displayed for all authentication methods except "Mutual PSK" and "Mutual PSK + xauth". That attribute is used to specify the trust chain that will be accepted for a peer that is using a certificate to authenticate. The only methods where this is required are "Mutual RSA", "Mutual RSA + xauth", and "EAP-TLS". The attribute also ends up being displayed and saved when the methods "Hybrid RSA + xauth", "EAP-RADIUS", and "EAP-MSCHAPv2" are selected. The peer does not use a certificate to authenticate for those methods.

The field should only be displayed for the methods where it will be used and it should only be saved to the config.xml for those methods.

Actions #1

Updated by Jim Pingle almost 8 years ago

EAP-MSCHAPv2 and EAP-RADIUS do still use the Certificate Authority/Server Certificate, it fails if the CA is not present on the client, they don't use client certificates though. At least for Windows, Android with strongSwan, and Ubuntu (strongSwan with Network Manager). The latter two make you select the CA manually in the client.

Actions #2

Updated by Matthew Smith almost 8 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Matthew Smith almost 8 years ago

To paraphrase an offline discussion between JimP and me about this ticket...

In 2.2.4, the caref attribute that was set on the phase1 when you select a value for "My Certificate Authority" was not applied to any of the strongswan configurations. The call in that generates configurations for strongswan was just taking all of the CA's in the config.xml (whether or not they were associated with any IPSec phase1) and writing them to ipsec.d/cacerts and not making any further configurations, so any CA created or imported on the local system was trusted as a signing CA for any VPN connection that allowed certificate authentication. So previously the "My Certificate Authority" setting had little value. This has been changed for 2.2.5 by a couple of recent tickets that use this value to set "rightca" for a connection and to limit the certificates copied into ipsec.d/cacerts to those that are part of the CA chain for the server cert or for remote peer authentication.

The fact that it's called "My Certificate Authority" (vs "Peer Certificate Authority") could/should mean that it's used to set the Certificate Authority that governs the local end of the connection and not the remote peer's trust chain. But the certificate selected as "My Certificate" will already have a signing CA so the local endpoint CA chain will implicitly be known. So "My Certificate Authority" was changed to the name "Peer Certificate Authority" and will be understood to be used to configure which CAs are trusted as signing authorities of certificates used by peers for authentication.

Actions #5

Updated by Chris Buechler almost 8 years ago

  • Status changed from Feedback to Resolved

all good


Also available in: Atom PDF