Hi Mugur,
> Our application using StrongSwan requires up to 20 trust anchors in the
> CERTREQ payload. Can you please specify which are theoretical/practical
> limitations for this number? Does StrongSwan loop over the list of
> trust anchors up to the first match (if any) and then stops?
When receiving a CERTREQ payload, charon tries to find a locally trusted
CA for each key identifier, and stores that information.
There is no theoretical limit, but having hundreds of trusted CAs
installed and having a matching certificate/private key under each CA
certainly could slow down building trust-chains. CERTREQs we have no
known CA for are not processed further.
During authentication when creating signatures, it looks for a list of
end-entity certificates and associated private keys to use for signing.
For each certificate, it tries to build a trust-chain to one of the CA
certificates it has received in the CERTREQ.
If you configure one or more leftcerts for your connection, precedence
for accepting a certificate is as follows:
* Find trustchain starting at one of leftcert having a private
key, ending at a CA we received a CERTREQ. If none found:
* Enforce a trustchain starting with first leftcert having a
private key, regardless of its CA. If no leftcert given:
* Find a trustchain starting at any found and to leftid matching
certificate with private key, ending at a CA we received a
CERTREQ. If none found:
* Enforce a trustchain for the first matching certificate with
private key, regardless of its CA.
For the trust-chains ending at a CA from the CERTREQ, certificates up to
but not including that CA are sent in CERT payloads. If a trust-chain is
selected for a leftcert we have no CERTREQ received for, all
certificates in the trust-chain up to, but not including the root CA are
sent in CERT payloads.
Regards
Martin
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
