[Vpn-help] Hopefully the final 1.1 RC release ...

Matthew Grooms mgrooms at shrew.net
Thu Sep 28 02:55:27 CDT 2006 

Peter Eisch wrote:
> On 9/27/06 11:57 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
> 
> The server's identity must be verified as being signed by the provided CA
> cert.  If the check box is checked, does this verification happen?
> 

Yes. As I said before, the peers cert is unconditionally verified to be 
issued by the CA. The peer is then unconditionally verified to be the 
owner of the cert.

> 
> It doesn't.  Maybe this is where I'm running off the track.  The point of
> running a CA is to build a trust community.
> 

Sure. If you manage your own CA then you probably don't have an issue.

> Can you help me see an example of when one signed cert would need to be
> distinguished from another signed cert on a VPN gateway?
> 

The problem with hypothetical situations is that their hypothetical ...

VPNGW1 - holds cert issued by quickssl ( yours )
VPNGW2 - holds cert issued by quickssl ( hackers )

You setup a client connection to VPNGW1 but get redirected to VPNGW2. 
You verify that the VPNGW2 cert is issued by quickssl using their public 
cert, verify that VPNGW2 holds the private key for the provided cert and 
the client respond to an XAUTH request with your username and password. 
Now they have your VPNGW address, all your proposal parameters and your 
username & password.

If you enable verification of the certificate subject, this wouldn't be 
possible.

Next time you connect to an ssl web site, double click the padlock icon 
and check the subject CN value for the cert. You will find that it is 
set to the FQDN of the web server you are communicating with.

This consistency is there for a reason.

>> But I think this is all moot. I added a check box so that it can be
>> disabled for asn1dn IDs. Problem solved right?
> 
> I'm looking to set up a pool of vpn servers (to give my frame of reference)
> and I want to be able to have the clients hit any of the servers that each
> have a cert signed by the same CA.  I could have all the servers use the
> same identity -- and maybe that the "more right" way to approach it.
> 

Thats how I would probably handle it.

Thanks,

-Matthew

More information about the vpn-help mailing list