[Swan-dev] commit 3c13e367 X509: fixup SAN and ID handling change wanted?
Wolfgang Nothdurft
wolfgang at linogate.de
Mon Sep 4 09:33:40 UTC 2017
With the following commit the default in pluto_process_certs changed
from TRUE to BAD. Now when I try to connect the specified certificate is
rejected because there is no trusted ca for this certificate.
X509: Certificate rejected for this connection
X509: CERT payload bogus or revoked
Is this change intended?
How do connections without CA work now?
Or am I missing something?
see attached config and logs
commit 3c13e36770337d8a6a358fbcd127f7995b3fa73b
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Aug 6 19:52:35 2017 -0400
X509: fixup SAN and ID handling (especially for %fromcert cases and
Aggressive Mode)
-static bool pluto_process_certs(struct state *st, chunk_t *certs,
+
+static int pluto_process_certs(struct state *st, chunk_t *certs,
int num_certs)
{
struct connection *c = st->st_connection;
#if defined(LIBCURL) || defined(LIBLDAP)
SECItem fdn = { siBuffer, NULL, 0 };
#endif
- bool cont = TRUE;
+ int cont = LSW_CERT_BAD;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.19-working.log
Type: text/x-log
Size: 7461 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170904/37952ba9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.21-rejected.log
Type: text/x-log
Size: 3215 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170904/37952ba9/attachment-0001.bin>
-------------- next part --------------
conn server_0-test_sn-sn_192.168.11.1/32-192.168.12.1/32
leftsubnet=192.168.11.1/32
right=10.0.12.2
rightsubnet=192.168.12.1/32
auto=add
rekey=no
left=%defaultroute
pfs=yes
compress=no
disablearrivalcheck=no
salifetime=540m
ikelifetime=360m
authby=rsasig
leftcert=/etc/ipsec.d/server.crt
leftid=%fromcert
rightcert=4CA6C897978F631DDF19B4E762EC717DF1E40D56
rightid="%fromcert"
More information about the Swan-dev
mailing list