From: Roman H. A. <rh...@op...> - 2011-02-17 01:24:25
|
Hi While using RSA keys instead of certificates, I get lots of these log messages: racoon: WARNING: CERT validation disabled by configuration I tried all sorts of validate_identifier / validate_cert combinations. (Turning verify_cert on with RSA keys will yield an error "no ID nor CERT found.", so that setting makes no sense anyway.) I wonder if this warning makes any sense at all when not using certificates. What exactly is the security risk meant by that warning when using RSA keys instead of certificates? Maybe we should suppress that warning in oakley.c:1488 when using pre-shared or RSA keys? Regards Roman |
From: Timo T. <tim...@ik...> - 2011-02-17 12:49:15
|
On 02/17/2011 03:24 AM, Roman Hoog Antink wrote: > While using RSA keys instead of certificates, I get lots of these log > messages: > > racoon: WARNING: CERT validation disabled by configuration > > I tried all sorts of validate_identifier / validate_cert combinations. > > (Turning verify_cert on with RSA keys will yield an error "no ID nor > CERT found.", so that setting makes no sense anyway.) > > I wonder if this warning makes any sense at all when not using certificates. > > What exactly is the security risk meant by that warning when using RSA > keys instead of certificates? > > Maybe we should suppress that warning in oakley.c:1488 when using > pre-shared or RSA keys? Sounds like brain damage to me. If we are using plain RSA from local files, it doesn't really make sense to do cert validation. I'd rather fix the error at oakley.c:1892, since the signature can be considered validated if it matched the local RSA pair. This allows as to keep "verify_cert yes" and work properly with RSA. - Timo |
From: Roman H. A. <rh...@op...> - 2011-02-18 02:01:34
|
On 17/02/11 23:49, Timo Teräs wrote: > On 02/17/2011 03:24 AM, Roman Hoog Antink wrote: >> While using RSA keys instead of certificates, I get lots of these log >> messages: >> >> racoon: WARNING: CERT validation disabled by configuration >> >> I tried all sorts of validate_identifier / validate_cert combinations. >> >> (Turning verify_cert on with RSA keys will yield an error "no ID nor >> CERT found.", so that setting makes no sense anyway.) >> >> I wonder if this warning makes any sense at all when not using certificates. >> >> What exactly is the security risk meant by that warning when using RSA >> keys instead of certificates? >> >> Maybe we should suppress that warning in oakley.c:1488 when using >> pre-shared or RSA keys? > > Sounds like brain damage to me. If we are using plain RSA from local > files, it doesn't really make sense to do cert validation. > > I'd rather fix the error at oakley.c:1892, since the signature can be > considered validated if it matched the local RSA pair. This allows as to > keep "verify_cert yes" and work properly with RSA. > > - Timo You can't use verify_cert=on together with RSA keys. Racoon would crash in oakley.c:1839. I still propose to suppress the warning if no certificates are being used. How would you build an appropriate if statement/condition in order to replace the 'else' with an 'else if' in oakley.c:1487? /* Generate a warning if verify_cert */ if (iph1->rmconf->verify_cert) { plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n"); 1487: } else { plog(LLV_WARNING, LOCATION, NULL, "CERT validation disabled by configuration\n"); } I walked through the fields of struct remoteconf, but I am no sure. How about (mycertfile != NULL)? - Roman |
From: Roman H. A. <rh...@op...> - 2011-02-28 01:03:35
Attachments:
racoon-no_cert_warn.patch
|
Hi Timo I suppressed the "CERT validation disabled..." warning in case no certificate file has been configured (plainRSA and PSK setups). Additionally this patch fixes the comment and it adds the peer's IP address to the warning, making good use of our previous log improvement patch. Regards, Roman |
From: VANHULLEBUS Y. <va...@fr...> - 2011-03-01 14:50:32
|
On Mon, Feb 28, 2011 at 12:03:22PM +1100, Roman Hoog Antink wrote: > Hi Timo Hi. > I suppressed the "CERT validation disabled..." warning in case no > certificate file has been configured (plainRSA and PSK setups). > > Additionally this patch fixes the comment and it adds the peer's IP > address to the warning, making good use of our previous log improvement > patch. I'm not sure the mycertfile != NULL is a good check: if you have hybrid authentication, you may have no certfile on your side, but a certificate (and a CERT validation) for your peer. As this is only a warning in logs, I'll postpone this issue for after 0.8.0 release. Yvan. |
From: Roman H. A. <rh...@op...> - 2011-03-21 06:44:41
|
On 2011-03-01 14:50 VANHULLEBUS Yvan wrote: > I'm not sure the mycertfile != NULL is a good check: if you have > hybrid authentication, you may have no certfile on your side, but a > certificate (and a CERT validation) for your peer. My next idea was to test for iph1->rmconf->key == NULL && iph1->rmconf->rsa_private == NULL in order to exclude just pre-shared key and plainRSA setups. But this does not work, because x509 setups use the rmconf->rsa_private/public pointers as well. I could not find any unique characteristics, when looking at the region of cfparse.y:2204, where verify_cert is disabled due to plainRSA setups. I see now, that pre-shared key setups do not matter, because they will run with rmconf->verify_cert enabled (I did not find a disable statement as with the plainRSA case). Any ideas? -Roman. |