Re: [strongSwan] Checking X509 Extended Key Usage

2018-07-05 Thread Tobias Brunner
Hi Sven, > In your example scenario the CA has the policy set too. > I'm a bit unsure if this is necessary, because a RFC 5280 in section > 4.2.1.4 (Certificate Policies) states: > > "When a CA does not wish to limit the set of policies for certification > paths that include this certificate,

Re: [strongSwan] Checking X509 Extended Key Usage

2018-07-04 Thread Sven Anders
Hello Andreas, I'm getting closer by using certificate policies instead of the EKUs. In your example scenario the CA has the policy set too. I'm a bit unsure if this is necessary, because a RFC 5280 in section 4.2.1.4 (Certificate Policies) states: "When a CA does not wish to limit the set of

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-22 Thread Andreas Steffen
Hi Sven, the certificate policy must be contained in all certificates of the X.509 trust chain. See the following example scenario: https://www.strongswan.org/testing/testresults5dr/swanctl/rw-ed25519-certpol/ Regards Andreas On 20.06.2018 13:41, Sven Anders wrote: > Am 20.06.2018 um 10:43

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-20 Thread Sven Anders
Am 20.06.2018 um 10:43 schrieb Andreas Steffen: > Hi Sven, > > you can use certificate policies which are based on OIDs. > > With swanctl.conf: > > remote { > auth = pubkey > cert_policy = > ... > } > > or with ipsec.conf: > > rightcertpolicy= Thanks for pointing me to the

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-20 Thread Andreas Steffen
Hi Sven, you can use certificate policies which are based on OIDs. With swanctl.conf: remote { auth = pubkey cert_policy = ... } or with ipsec.conf: rightcertpolicy= Best regards Andreas On 20.06.2018 09:49, Sven Anders wrote: > Hi Andreas, > > Am 19.06.2018 um 18:47

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-20 Thread Sven Anders
Hi Andreas, Am 19.06.2018 um 18:47 schrieb Andreas Steffen: > Hi Sven, > > according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945 > "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX" > the IPsec User EKU is deprecated: > >The CA SHOULD NOT include the

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-19 Thread Andreas Steffen
Hi Sven, according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945 "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX" the IPsec User EKU is deprecated: The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in certificates for use with IKE. Note that there

[strongSwan] Checking X509 Extended Key Usage

2018-06-19 Thread Sven Anders
Hello! We want to limit the usage of certificates by defining certain "Extended Key Usage" (EKU) flags to them. As an example, we want to set the "IPSec User" usage (1.3.6.1.5.5.7.3.7) and only allow connection via IPSec, if it is set. We may use some other flags out of our own space too. How