[Swan-dev] commit 3c13e367 X509: fixup SAN and ID handling change wanted?
Wolfgang Nothdurft
Wolfgang.Nothdurft at linogate.de
Wed Sep 6 07:41:06 UTC 2017
Am 05.09.2017 um 18:38 schrieb Tuomo Soini:
> On Mon, 4 Sep 2017 11:33:40 +0200
> Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>
>> With the following commit the default in pluto_process_certs changed
>> from TRUE to BAD. Now when I try to connect the specified certificate
>> is rejected because there is no trusted ca for this certificate.
>
> Certificates as separate files are not supported any more, they need to
> be in nss db.
>
Sorry for the misleading, the certificates are in the nss db. We use the
filename as nickname for historical reasons ;)
certutil -L -d sql:/etc/ipsec.d/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
/etc/ipsec.d/server.crt u,u,u
4CA6C897978F631DDF19B4E762EC717DF1E40D56 P,,
So it seems the simple solution is to set the default back to TRUE (see
attached patch).
The log message could be changed to a debug message, because it can be
confusing (see attached log).
Sep 6 09:33:54 d1 pluto[22614]:
"server_0-test_sn-sn_192.168.11.1/32-192.168.12.1/32" #2: X509: no trust
anchor available for verification
Sep 6 09:33:54 d1 pluto[22614]:
"server_0-test_sn-sn_192.168.11.1/32-192.168.12.1/32" #2: X509:
Certificate not verified
But I'm wondering why the testsuite didn't catch this problem. There are
several tests with rightcert=east.
Are the ca certificates also present in these tests?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.21-fix_conn_without_ca.patch
Type: text/x-patch
Size: 911 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170906/8f3090f1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.21-fixed.log
Type: text/x-log
Size: 9560 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170906/8f3090f1/attachment-0001.bin>
More information about the Swan-dev
mailing list