Discussion:
[strongSwan-dev] getting to peer certificate from ike_sa_t in a eap-tls connection
Sach K
2018-11-27 07:09:41 UTC
Permalink
Hello,

Is there a way to get to the peer's certificate from an ike_sa_t pointer
for an eap-tls connection. I have a connection from a windows machine to
strongswan using eap-tls, but when I try to get the cert from an
enumeration of auth_cfg_t from the ike_sa, I do not see any rule that has
the cert. The same thing works well the windows connects using machine cert
without eap. I need the cert when the updown script is called in order to
get some fields from the cert. I am using strongswan 5.1.3 + patches.

regards,
sk
Tobias Brunner
2018-11-28 10:39:52 UTC
Permalink
Hi,
Post by Sach K
Is there a way to get to the peer's certificate from an ike_sa_t pointer
for an eap-tls connection.
No, there isn't. The auth_cfg_t used in the TLS library (tls_peer_t,
via eap-tls plugin), which stores the certificate, is never merged with
that used for IKE.

Regards,
Tobias
Sach K
2018-11-29 06:40:21 UTC
Permalink
Thank you Tobias for the reply.
Is there any other way to get to tls_peer_t from the updown_listener.c ?

regards,
-sk
Post by Tobias Brunner
Hi,
Post by Sach K
Is there a way to get to the peer's certificate from an ike_sa_t pointer
for an eap-tls connection.
No, there isn't. The auth_cfg_t used in the TLS library (tls_peer_t,
via eap-tls plugin), which stores the certificate, is never merged with
that used for IKE.
Regards,
Tobias
Tobias Brunner
2018-11-29 08:15:30 UTC
Permalink
Hi,
Post by Sach K
Is there any other way to get to tls_peer_t from the updown_listener.c ?
No, there is no easy way to do that. It's also not that easy to patch
tls_peer_t because it has no access to the daemon (it's implemented in
libtls). So you'd have to extend tls_peer_t, tls_t and tls_eap_t to
somehow get the auth_cfg_t or the certificate in eap_tls_t and then
either merge that with the auth config of the IKE_SA or store that
information somewhere else (e.g. via lib->set) so it can be retrieved in
the updown listener.

Regards,
Tobias
Sach K
2018-11-29 16:38:42 UTC
Permalink
Thanx for the pointers. I will investigate further.

regards,
sk
Post by Tobias Brunner
Hi,
Post by Sach K
Is there any other way to get to tls_peer_t from the updown_listener.c ?
No, there is no easy way to do that. It's also not that easy to patch
tls_peer_t because it has no access to the daemon (it's implemented in
libtls). So you'd have to extend tls_peer_t, tls_t and tls_eap_t to
somehow get the auth_cfg_t or the certificate in eap_tls_t and then
either merge that with the auth config of the IKE_SA or store that
information somewhere else (e.g. via lib->set) so it can be retrieved in
the updown listener.
Regards,
Tobias
Loading...