[Swan-dev] require-id-on-certificate vs allow-cert-without-san-id

Paul Wouters paul.wouters at aiven.io
Thu May 6 14:40:19 UTC 2021

On Thu, 6 May 2021, Andrew Cagney wrote:

> Subject: [Swan-dev] require-id-on-certificate vs allow-cert-without-san-id
> I suspect they're just fighting over the same policy bit?

Yes. The devil is in the defaults.

We wanted the default to be to require the ID on cert. But that means
the whack option has to be a negative, or else whack users aren't
getting the new protection automatically. Hence --allow-cert-without-san-id

But for the config file, we don't want to describe the option as a
negative, but as a positive, and enable it as default, hence

> It comes up as I'm trying to get my brain around things like the else clause in:
>                         if (!LIN(POLICY_ALLOW_NO_SAN, c->policy)) {
>                                 diag_t d = diag("X509: connection failed due to unmatched IKE ID in certificate SAN");
>                                 llog_diag(RC_LOG, ike->sa.st_logger, &d, "%s", "");
>                                 must_switch = true;
>                         } else {
>                                 log_state(RC_LOG, &ike->sa, "X509: connection allows unmatched IKE ID and certificate SAN");
>                         }

The policy bit could be renamed to POLICY_REQUIRE_ID_ON_CERT, but that
would require changing the default policy bits and inverting the logic
everywhere. The POLICY_ALLOW_NO_SAN was done again in a negative, so
that the included default policy bit options does not increase. Eg, it
is the exceptional configuration that would gain the policy bit, not
the default one.


More information about the Swan-dev mailing list