You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pull requests #45, #46 aim to add IPSec compatibility with Easy-RSA. On-point with this goal is RFC4945, and the related informational RFC4809. After a review of the requirements in these RFCs, basic support should be as simple as a new pair of client/server extensions under x509-types.
One issue I'm as yet undecided on is handling of the DN Subject. Per RFC, this value may be blank, as IKE will use the subjectAltName as authoritative (RFC4945 sec. 5.1.2.1 & 5.1.3.6.) Also of note is that RFC4809 (sec. 3.7.2) may choose to use either the DN or subjectAltName fields for verification. Support should exist for requesters to supply thees as-desired, possibly keeping today's existing behavior; attempting to supply an empty CN currently results in a failure.
An RFC4945-compliant CA has additional responsibilities, notably CRL and/or OCSP handling. While Easy-RSA supports these features, it is likely outside the scope to enforce these requirements in the core code. As an option down the road, possibly for an interested implementor, would be a contrib/ style script to aid in the configuration of further IKE-compliance.
The text was updated successfully, but these errors were encountered:
A new feature-branch for this support has been created: issue49-ipsec-rfc4945. Feedback is welcome regarding how well this works for environments making use of IPSec certificates.
A description of the feature and a reference to the RFCs for external requirements probably need to happen before this can get merged into a mainline branch.
Pull requests #45, #46 aim to add IPSec compatibility with Easy-RSA. On-point with this goal is RFC4945, and the related informational RFC4809. After a review of the requirements in these RFCs, basic support should be as simple as a new pair of client/server extensions under
x509-types
.One issue I'm as yet undecided on is handling of the DN Subject. Per RFC, this value may be blank, as IKE will use the subjectAltName as authoritative (RFC4945 sec. 5.1.2.1 & 5.1.3.6.) Also of note is that RFC4809 (sec. 3.7.2) may choose to use either the DN or subjectAltName fields for verification. Support should exist for requesters to supply thees as-desired, possibly keeping today's existing behavior; attempting to supply an empty CN currently results in a failure.
An RFC4945-compliant CA has additional responsibilities, notably CRL and/or OCSP handling. While Easy-RSA supports these features, it is likely outside the scope to enforce these requirements in the core code. As an option down the road, possibly for an interested implementor, would be a
contrib/
style script to aid in the configuration of further IKE-compliance.The text was updated successfully, but these errors were encountered: