[Vpn-help] Hopefully the final 1.1 RC release ...
Matthew Grooms
mgrooms at shrew.net
Thu Sep 28 02:55:27 CDT 2006
Peter Eisch wrote:
> On 9/27/06 11:57 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
>
> The server's identity must be verified as being signed by the provided CA
> cert. If the check box is checked, does this verification happen?
>
Yes. As I said before, the peers cert is unconditionally verified to be
issued by the CA. The peer is then unconditionally verified to be the
owner of the cert.
>
> It doesn't. Maybe this is where I'm running off the track. The point of
> running a CA is to build a trust community.
>
Sure. If you manage your own CA then you probably don't have an issue.
> Can you help me see an example of when one signed cert would need to be
> distinguished from another signed cert on a VPN gateway?
>
The problem with hypothetical situations is that their hypothetical ...
VPNGW1 - holds cert issued by quickssl ( yours )
VPNGW2 - holds cert issued by quickssl ( hackers )
You setup a client connection to VPNGW1 but get redirected to VPNGW2.
You verify that the VPNGW2 cert is issued by quickssl using their public
cert, verify that VPNGW2 holds the private key for the provided cert and
the client respond to an XAUTH request with your username and password.
Now they have your VPNGW address, all your proposal parameters and your
username & password.
If you enable verification of the certificate subject, this wouldn't be
possible.
Next time you connect to an ssl web site, double click the padlock icon
and check the subject CN value for the cert. You will find that it is
set to the FQDN of the web server you are communicating with.
This consistency is there for a reason.
>> But I think this is all moot. I added a check box so that it can be
>> disabled for asn1dn IDs. Problem solved right?
>
> I'm looking to set up a pool of vpn servers (to give my frame of reference)
> and I want to be able to have the clients hit any of the servers that each
> have a cert signed by the same CA. I could have all the servers use the
> same identity -- and maybe that the "more right" way to approach it.
>
Thats how I would probably handle it.
Thanks,
-Matthew
More information about the vpn-help
mailing list