From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonatan Schlag To: development@lists.ipfire.org Subject: Re: Reason why we do not set rigthca in the strongswan conf Date: Fri, 14 Feb 2025 21:48:52 +0100 Message-ID: <29DE9509-29E2-4DFB-9776-88EE24235DCA@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9208196435852869490==" List-Id: --===============9208196435852869490== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =EF=BB=BF Hi, > Am 12.02.2025 um 10:26 schrieb Michael Tremer : > =EF=BB=BFHello Jonatan, >=20 > That is a good question. I am aware of the certificate pinning problem that= we have here and that we cannot easily just roll over the host certificate (= which we should be able to!) because it is pinned on the remote side. I did n= ot have time to look into this in detail, but simply accepting the CA would b= e a good solution for this and potentially will make the configuration even e= asier. >=20 > Long term, I would like to think how to move away from X.509 for IPsec, but= that is a story for another day. Because the work of maintaining a certificate is too much? Or what are the re= asons? I only need a short explanation. If there is a better alternative to i= mplement then certificates, I=E2=80=99m happy to use this one. And we both do= n=E2=80=99t need to turn further time into how this strongswan feature works. >=20 > What are the disadvantages of just using the CA? I suppose there is the pro= blem that most people don=E2=80=99t use the FQDN of the remote side to establ= ish their connections. Very often, the firewall does not even have a proper F= QDN that actually resolves to the right IP address at all; therefore I believ= e that we cannot even perform any solid validation based on the certificate= =E2=80=99s subject/hostname. >=20 > Usually within IPFire, this should not be a problem because the CA is not i= ssuing that many certificates, but in theory it is possible to use a public C= A. Both problems put together would mean that the remote firewall will accept= *any* certificate that has ever been issued (even some road warrior certific= ates that might have been issued); or in case of a public CA like Let=E2=80= =99s Encrypt, this could be a large chunk of the internet. >=20 The remote side id is also checked, isn=E2=80=99t it? So we could somehow pin= to one certificate even if the hostname does not match. And if Let=E2=80=99s= Encrypt provides you with a cert which has a subject alternative name set to= something random, I would be very surprised. > How does strongswan deal with incoming connections? Just because it has a C= A does not mean that it should find the right connection because this usually= is found by the subject of the certificate. Does it simply iterate through a= ll CAs and go with anything that matches? That would be very broad as well I = suppose. It=E2=80=99s kind of interesting. I=E2=80=99ve just read the documentation on= e more time and apparently you are supposed to set this option to the disting= uished name of the certificate authority. I simply provided the file of my ce= rtificate authority certificate and it seems to work also. So we could set th= is relatively narrow, to the certificate authority we imported. Jonatan >=20 > So in theory, I like the idea, just the CA should be enough. But I believe = in practice there might be some problems. Maybe some of the things I outlined= here are not a concern at all; that would need to be tested. Are you up for = that? >=20 > -Michael >=20 >> On 8 Feb 2025, at 20:50, Jonatan Schlag wrot= e: >>=20 >> Hi list, >>=20 >> recently I had to renew the host cert of my IPFire system for >> strongswan. As we currently write: >>=20 >> rightcert =3D >>=20 >> into the config (see for this: >> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dhtml/cgi-bin/vpnma= in.cgi;h=3D3541aaa29393091258456cf787fefe3ec5ca3cb4;hb=3Drefs/heads/master#l3= 79 >> I have to change the cert of the remote system as well. Is there a >> reason for this? When I use >>=20 >> rightca=3D >>=20 >> the connection works out of the box. Is there a reason why we make not >> use of this option? >>=20 >> Jonatan --===============9208196435852869490==--