[Swan] Certificate SubjectAltName checking

Paul Wouters paul at nohats.ca
Tue Dec 5 19:36:24 UTC 2017


On Tue, 5 Dec 2017, Daniel Collins wrote:

> We have reverted this commit in our tree for the time being as a work
> around. Our certificates do not have a SubjectAltName field and the
> common name matching doesn't appear to be sufficient. We also do not
> enforce any kind of linkage between the configured tunnel IDs and the
> fields within the certificate.

> What are your thoughts on this? Are there caveats with using arbitrary
> IDs when certificate auth is in use? What was the reasoning behind
> this change to Libreswan?

It is a security issue. If you have 1 CA that signed mail.example.com
and web.example.com, and you don't do further ID to CERT binding, then
mail.example.com could take over the IP of web.example.com, present
the ID of web.example.com and then use its own mail.example.com CERT,
since it is a valid CERT signed by the same CA. A client checking its
IPsec connection to web.example.com would then see the correct ID but
validate the wrong certificate.

With the additional binding of the ID to the SubjectAltName, the server
can still send a forged ID of someone else, but it won't have a proper
certificate with that ID on it to later pass the certificate
verification step.

Paul


More information about the Swan mailing list