Tuesday, July 30, 2024

Re: iked authentication logging ?

On 2024-07-30 19:39, Stuart Henderson wrote:

> On 2024-07-30, J Doe <general@nativemethods.com> wrote:
>> As a result with continuing to experiment with my configuration, I ran
>> into a new issue. I followed the instructions in the OpenBSD FAQ[0] for
>> an X.509 configuration - in particular the following (with hostnames for
>> my server and Mac):
>>
>> server1# ikectl ca vpn certificate client1.domain create
>> server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
>> server1# ikectl ca vpn certificate client1.domain export
>
> BTW this is a shortcut that ikectl implements to make things easy,
> although it does mean that the client's "private" key actually ends
> up on the server.
>
> The traditional way of doing this is exactly like an X509 cert for a
> web server, i.e. the client generates a private key and cert signing
> request, the key is never transferred off the machine, only the CSR
> which is taken to the CA. The CA then uses that to produce a cert
> which is signed by the CA and sent back.
>
> See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
> details which are mostly hidden if you use "ikectl ca".
>
>> server1# tar -C /tmp -xzf client1.domain.tgz *pfx
>> server1# cp /tmp/export/client1.domain.pfx \
>> /var/www/htdocs/client1.domain.pfx
>>
>> ...so on my OpenBSD server I have the client's X.509 certificate and the
>> CA certificate at: /etc/iked/certs.
>>
>> I then removed the _client_ certificate from this location on the server
>> and attempted connecting from the Mac and it authenticated.
>>
>> My new question is - shouldn't the server reject a X.509 authentication
>> attempt if the _client_ certificate is not on the server ?
>
> No, that's not how it is expected to work, you don't need the client cert
> on the server, just a way to validate that it's correct (by checking the
> CA's signature and, IIUC, checking the subjectAltName against srcid).


Hi Stuart,

Thanks for your reply.

Ok, I will make a note to read through the X.509 AUTHENTICATION section
in: man 8 isakmpd.

In regards to your last paragraph, where you state:

"... just a way to validate that it's correct (by checking the CA's
signature ..."

... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the
_server_ that the client should _not_ be able to authenticate, or is
validating the CA's signature not dependent on that ?

Thanks,

- J

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)