On 2024/07/30 20:19, J Doe wrote:
> On 2024-07-30 19:39, Stuart Henderson wrote:
>
> > On 2024-07-30, J Doe <general@nativemethods.com> wrote:
> > > As a result with continuing to experiment with my configuration, I ran
> > > into a new issue. I followed the instructions in the OpenBSD FAQ[0] for
> > > an X.509 configuration - in particular the following (with hostnames for
> > > my server and Mac):
> > >
> > > server1# ikectl ca vpn certificate client1.domain create
> > > server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
> > > server1# ikectl ca vpn certificate client1.domain export
> >
> > BTW this is a shortcut that ikectl implements to make things easy,
> > although it does mean that the client's "private" key actually ends
> > up on the server.
> >
> > The traditional way of doing this is exactly like an X509 cert for a
> > web server, i.e. the client generates a private key and cert signing
> > request, the key is never transferred off the machine, only the CSR
> > which is taken to the CA. The CA then uses that to produce a cert
> > which is signed by the CA and sent back.
> >
> > See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
> > details which are mostly hidden if you use "ikectl ca".
> >
> > > server1# tar -C /tmp -xzf client1.domain.tgz *pfx
> > > server1# cp /tmp/export/client1.domain.pfx \
> > > /var/www/htdocs/client1.domain.pfx
> > >
> > > ...so on my OpenBSD server I have the client's X.509 certificate and the
> > > CA certificate at: /etc/iked/certs.
> > >
> > > I then removed the _client_ certificate from this location on the server
> > > and attempted connecting from the Mac and it authenticated.
> > >
> > > My new question is - shouldn't the server reject a X.509 authentication
> > > attempt if the _client_ certificate is not on the server ?
> >
> > No, that's not how it is expected to work, you don't need the client cert
> > on the server, just a way to validate that it's correct (by checking the
> > CA's signature and, IIUC, checking the subjectAltName against srcid).
>
>
> Hi Stuart,
>
> Thanks for your reply.
>
> Ok, I will make a note to read through the X.509 AUTHENTICATION section
> in: man 8 isakmpd.
>
> In regards to your last paragraph, where you state:
>
> "... just a way to validate that it's correct (by checking the CA's
> signature ..."
>
> ... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the
> _server_ that the client should _not_ be able to authenticate, or is
> validating the CA's signature not dependent on that ?
As far as I know that's correct, I don't think there's anywhere else
that it should be picking up the CA cert from.
No comments:
Post a Comment