[Openswan Users] IPSec and Certificates

Paul Wouters paul at xelerance.com
Tue Feb 1 15:49:07 CET 2005


On Tue, 1 Feb 2005 t.henneberger at hcs-computer.de wrote:

> In order to use x.509 to authenticate and encrypt the connection, both
> sides need to have a Certificate from a CA both know, right?

Yes. In the most setups, they bore have an X.509 certificate signed by
the same CA

> Now comes the part I am unsure about:
> Do both ends have to use the same Cerftificate, or is it enough when
> both sides have a Certificate which is signed by the above CA?

Both ends should have their *own* certificate. signed by the same CA
(or using intermediary Ca's that at some point are signed by the same CA)

> who transfers his Public-Key first, the Client or the Server. A good link
> describing this process would be very very helpful.

Basicly, the initiator (client) connecting is supposed to offer its
certificate first.  Then the responder (server) looks at and answers by
sending the appriopriate certificate itself. This is because the server
might have a bunch of different certificates for different clients,
and you don't want to leak out information by just sending all of
them. this is why Openswan introduced the left/right sendsert= option.
So on a client setup you would use leftsendsert=always. On a server
leftsendcert=ifasked

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton



More information about the Users mailing list