[Swan-dev] commit 3c13e367 X509: fixup SAN and ID handling change wanted?

Wolfgang Nothdurft wolfgang at linogate.de
Mon Sep 4 09:33:40 UTC 2017 

With the following commit the default in pluto_process_certs changed 
from TRUE to BAD. Now when I try to connect the specified certificate is 
rejected because there is no trusted ca for this certificate.

X509: Certificate rejected for this connection
X509: CERT payload bogus or revoked

Is this change intended?
How do connections without CA work now?
Or am I missing something?

see attached config and logs

commit 3c13e36770337d8a6a358fbcd127f7995b3fa73b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Aug 6 19:52:35 2017 -0400

     X509: fixup SAN and ID handling (especially for %fromcert cases and 
Aggressive Mode)

-static bool pluto_process_certs(struct state *st, chunk_t *certs,
+
+static int pluto_process_certs(struct state *st, chunk_t *certs,
                                                   int num_certs)
  {
         struct connection *c = st->st_connection;
  #if defined(LIBCURL) || defined(LIBLDAP)
         SECItem fdn = { siBuffer, NULL, 0 };
  #endif
-       bool cont = TRUE;
+       int cont = LSW_CERT_BAD;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.19-working.log
Type: text/x-log
Size: 7461 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170904/37952ba9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.21-rejected.log
Type: text/x-log
Size: 3215 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170904/37952ba9/attachment-0001.bin>
-------------- next part --------------
conn server_0-test_sn-sn_192.168.11.1/32-192.168.12.1/32
        leftsubnet=192.168.11.1/32
        right=10.0.12.2
        rightsubnet=192.168.12.1/32
        auto=add
        rekey=no
        left=%defaultroute
        pfs=yes
        compress=no
        disablearrivalcheck=no
        salifetime=540m
        ikelifetime=360m
        authby=rsasig
        leftcert=/etc/ipsec.d/server.crt
        leftid=%fromcert
        rightcert=4CA6C897978F631DDF19B4E762EC717DF1E40D56
        rightid="%fromcert"

More information about the Swan-dev mailing list