[Vpn-help] Hopefully the final 1.1 RC release ...

Matthew Grooms mgrooms at shrew.net
Wed Sep 27 23:57:17 CDT 2006


Peter Eisch wrote:
> Including my previous reply, below is what I've now tested.  My system is
> XPsp2 current including the recent vgx.dll patch (I think that was the
> name).  All my testing on the client used a p12 bundle.
> 

Thanks. Very much appreciated.

> 
> I can't test the PSK perturbations as Brian is running his own tests now.  I
> don't think I had an issue with them in RC3 and if the only changes were
> around ASN1DN handling I would give them reasonable confidence of working.
> 

I have no reason to think there is an issue with these modes.

> To my hangup with the ASN1DN -- to piggy back on the previous email -- I do
> think that it's important that the client validate the received cert from
> the remote against the ca.crt.  I don't "like" the checkbox for blindly
> accepting the cert and I don't think the subject of the cert should be a
> config requirement on the client.  If the ca.crt was used to sign the
> received cert -- that should be all the client needs to trust the server.
>

I think thats like going to a site that says www.legitemate.com and 
receiving a certificate saying

I think this is just a misunderstanding. In every RSA auth mode, the 
peer certificate is unconditionally verified to be issued by the CA. A 
digital signature is then used to verify that the peer in fact holds the 
private key for the certificate it presented. The only behavior that the 
check box modifies is that the servers asn1dn, offered as an identity, 
isn't compared with a client configured static value. I belive this is 
commonly referred to as authorization in addition to authentication.

Being able to compare a peer ID ( asn1dn or otherwise ) with a static 
value exists in every IPSEC implementation that I am aware of. If not 
the ID, what property distinguishes your VPN gateway cert from another 
cert issued by the same CA?

But I think this is all moot. I added a check box so that it can be 
disabled for asn1dn IDs. Problem solved right?

Thanks,

-Matthew



More information about the vpn-help mailing list