Project

General

Profile

Bug #5323

My Certificate Authority is displayed/saved for authentication methods where it is not needed

Added by Matthew Smith about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
10/20/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.2.x
Affected Architecture:

Description

On the IPSec phase 1 settings page (vpn_ipsec_phase1.php), the field "My Certificate Authority" is displayed for all authentication methods except "Mutual PSK" and "Mutual PSK + xauth". That attribute is used to specify the trust chain that will be accepted for a peer that is using a certificate to authenticate. The only methods where this is required are "Mutual RSA", "Mutual RSA + xauth", and "EAP-TLS". The attribute also ends up being displayed and saved when the methods "Hybrid RSA + xauth", "EAP-RADIUS", and "EAP-MSCHAPv2" are selected. The peer does not use a certificate to authenticate for those methods.

The field should only be displayed for the methods where it will be used and it should only be saved to the config.xml for those methods.

Associated revisions

Revision 3f0b8a95 (diff)
Added by Matthew Smith about 4 years ago

Limit the auth methods where "My Certificate Authority" is displayed/saved for
mobile clients. Fixes #5323.

Revision ca35be37 (diff)
Added by Matthew Smith about 4 years ago

Limit the auth methods where "My Certificate Authority" is displayed/saved for
mobile clients. Fixes #5323.

History

#1 Updated by Jim Pingle about 4 years ago

EAP-MSCHAPv2 and EAP-RADIUS do still use the Certificate Authority/Server Certificate, it fails if the CA is not present on the client, they don't use client certificates though. At least for Windows, Android with strongSwan, and Ubuntu (strongSwan with Network Manager). The latter two make you select the CA manually in the client.

#2 Updated by Matthew Smith about 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Matthew Smith about 4 years ago

To paraphrase an offline discussion between JimP and me about this ticket...

In 2.2.4, the caref attribute that was set on the phase1 when you select a value for "My Certificate Authority" was not applied to any of the strongswan configurations. The call in vpn.inc that generates configurations for strongswan was just taking all of the CA's in the config.xml (whether or not they were associated with any IPSec phase1) and writing them to ipsec.d/cacerts and not making any further configurations, so any CA created or imported on the local system was trusted as a signing CA for any VPN connection that allowed certificate authentication. So previously the "My Certificate Authority" setting had little value. This has been changed for 2.2.5 by a couple of recent tickets that use this value to set "rightca" for a connection and to limit the certificates copied into ipsec.d/cacerts to those that are part of the CA chain for the server cert or for remote peer authentication.

The fact that it's called "My Certificate Authority" (vs "Peer Certificate Authority") could/should mean that it's used to set the Certificate Authority that governs the local end of the connection and not the remote peer's trust chain. But the certificate selected as "My Certificate" will already have a signing CA so the local endpoint CA chain will implicitly be known. So "My Certificate Authority" was changed to the name "Peer Certificate Authority" and will be understood to be used to configure which CAs are trusted as signing authorities of certificates used by peers for authentication.

#5 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

all good

Also available in: Atom PDF