Bug #5323
closedMy Certificate Authority is displayed/saved for authentication methods where it is not needed
100%
Description
On the IPSec phase 1 settings page (vpn_ipsec_phase1.php), the field "My Certificate Authority" is displayed for all authentication methods except "Mutual PSK" and "Mutual PSK + xauth". That attribute is used to specify the trust chain that will be accepted for a peer that is using a certificate to authenticate. The only methods where this is required are "Mutual RSA", "Mutual RSA + xauth", and "EAP-TLS". The attribute also ends up being displayed and saved when the methods "Hybrid RSA + xauth", "EAP-RADIUS", and "EAP-MSCHAPv2" are selected. The peer does not use a certificate to authenticate for those methods.
The field should only be displayed for the methods where it will be used and it should only be saved to the config.xml for those methods.
Updated by Jim Pingle about 9 years ago
EAP-MSCHAPv2 and EAP-RADIUS do still use the Certificate Authority/Server Certificate, it fails if the CA is not present on the client, they don't use client certificates though. At least for Windows, Android with strongSwan, and Ubuntu (strongSwan with Network Manager). The latter two make you select the CA manually in the client.
Updated by Matthew Smith about 9 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 3f0b8a959dd6109b29379f9fb93d392bcd57e15b.
Updated by Matthew Smith about 9 years ago
Applied in changeset ca35be37bf73efc5fd98a473bdc3a8b4fc6b90ca.
Updated by Matthew Smith about 9 years ago
To paraphrase an offline discussion between JimP and me about this ticket...
In 2.2.4, the caref attribute that was set on the phase1 when you select a value for "My Certificate Authority" was not applied to any of the strongswan configurations. The call in vpn.inc that generates configurations for strongswan was just taking all of the CA's in the config.xml (whether or not they were associated with any IPSec phase1) and writing them to ipsec.d/cacerts and not making any further configurations, so any CA created or imported on the local system was trusted as a signing CA for any VPN connection that allowed certificate authentication. So previously the "My Certificate Authority" setting had little value. This has been changed for 2.2.5 by a couple of recent tickets that use this value to set "rightca" for a connection and to limit the certificates copied into ipsec.d/cacerts to those that are part of the CA chain for the server cert or for remote peer authentication.
The fact that it's called "My Certificate Authority" (vs "Peer Certificate Authority") could/should mean that it's used to set the Certificate Authority that governs the local end of the connection and not the remote peer's trust chain. But the certificate selected as "My Certificate" will already have a signing CA so the local endpoint CA chain will implicitly be known. So "My Certificate Authority" was changed to the name "Peer Certificate Authority" and will be understood to be used to configure which CAs are trusted as signing authorities of certificates used by peers for authentication.