Comments (6)
Thanks for the report. I recently noticed this myself. The name constraints validation is currently performed for each issuer/subject relation separately (this is basically how the cert_validator_t::validate()
method is called), which means there is no context beyond the two certificates. I guess that's why the plugin enforces that name constraints are inherited (with narrowing/widening) through the complete chain so that the issuer of the end-entity certificate will provide all the relevant constraints (this is the first validation that will occur).
Instead, we'd technically have to maintain sets of allowed/disallowed names starting from the root and apply them to each level in the PKI and possibly modify them depending on the name constraints contained in the intermediate CA certificates. This could be similar to the policy constraints validation, which only occurs once the complete chain is available (basically the last call of validate()
where anchor
is set TRUE
). Then we could build the chain and sets of name constraints from the root and properly validate them. I'll try to have a look at this soon.
from strongswan.
Wonderful, thank you so much! That sounds exactly like the approach I was thinking would be used.
Let me know if I can assist in testing in any way.
from strongswan.
I've pushed some changes to the 2114-name-constraints branch that fix several of the shortcomings of the previous code (see the commit message of the last commit for details).
The certificates generated by your script are correctly validated with these changes.
from strongswan.
That looks great, thanks! I have only now gotten it built from source so I'll give it a test. Appreciate it!
from strongswan.
Hey there, sorry for the delay, I had a busy week and forgot to finish testing!
I can confirm that this fixes my issue with my setup—thanks again so much for the blazing fast turnaround.
from strongswan.
Great, thanks for testing.
from strongswan.
Related Issues (20)
- android11 can't use "IKEv2/IPSec MSCHAPv2" to connect strongswanVPN server
- "<child>.local_ts" Dynamic acquisition of network card IP address HOT 2
- I used a tester to test VPN throughput and found that charon’s memory usage was high and was killed by the kernel. Is there any solution to limit memory usage? HOT 13
- Build of version 5.9.14 fails on alpine (musl) HOT 1
- ubuntu make error
- proposal_keywords.c is excluded by the .gitignore file HOT 2
- charon-nm: only a single CA cert file is loaded from "server certificate" file HOT 3
- add logger configuration for json output HOT 4
- Add support for the post-quantum ML-KEM KE algorithm in openssl plugin
- Routing regression between 5.9.8 (Debian Bookworm deb12u1) and 5.9.13 (Ubuntu 24.04 (2ubuntu4)) HOT 10
- libstrongswan rsa test getting hang sporadically with strongswan 5.9.6 HOT 2
- "Invalid ELF image for this architecture" error while running tests suite in strongswan HOT 1
- Confusing loading state in Battery Saver HOT 1
- "Invalid ELF image for this architecture" error while running tests suite in strongswan 5.8.4 version HOT 5
- Are there plans to adapt HarmonyOS in the future? HOT 2
- "printf_hooks" test failure in strongswan 5.9.13 version HOT 2
- Always list first usable address as base in the output of swanctl --list-pools command
- multiple subnet but only one establishing
- swanctl ignores load=no for plugins HOT 1
- "Stream tests and http fetcher tests" failing on strongswan 5.9.13 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.