New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
charon-nm: only a single CA cert file is loaded from "server certificate" file #2219
Comments
Yeah, strongSwan does not support certificate bundles. Changing that is currently not planned.
You can also configure your own directory (that e.g. only contains the CA certificates you need) via
Not unless that bundle is processed by a tool and split up into separate files. There is no difference in how files are loaded from the configured directory vs. when configured in the GUI. |
https://bugs.debian.org/853266 doesn't provide sufficient details, but it might be related. Maybe its oversimplified, but I find it difficult to understand that a directory providing 2 certificates is supported, while a file providing the same 2 certificates is not. Just my $0.02. |
Don't think so. Not only was that created long before basic support for TLS-based EAP methods was added to charon-nm with bc3eda9 in 2020, the main issue is that
strongSwan's certificate parsers can only handle a single certificate per file. So loading a directory with multiple files, each containing a trusted certificate, is straight-forward, loading multiple certificates from a single file is not. |
Root Issue
When a certificate file is selected for the server, the nm backend loads only a single cert from that file, even if it is a PEM bundle of both CA certs.
Affected use cases
This breaks PEAP/EAP-TLS/EAP-TTLS/ecc. when the IPsec gateway authenticates itself via a different CA from the one behind the TLS handshake within EAP, which is quite common when using a RADIUS server.
Code affected
strongswan/src/charon-nm/nm/nm_service.c
Lines 769 to 789 in f8e6fd3
Workaround
When no cert file is selected, the nm backend loads all certs from the system CA folder. Putting the same CA certs bundle PEM file in that folder makes TLS-based EAP methods working again.
Expected fix
All certs from inside that file should be loaded as trusted CAs or gateway/server cert.
The text was updated successfully, but these errors were encountered: