[Swan-dev] commit 3c13e367 X509: fixup SAN and ID handling change wanted?

Wolfgang Nothdurft Wolfgang.Nothdurft at linogate.de
Wed Sep 6 07:41:06 UTC 2017

Am 05.09.2017 um 18:38 schrieb Tuomo Soini:
> On Mon, 4 Sep 2017 11:33:40 +0200
> Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>> With the following commit the default in pluto_process_certs changed
>> from TRUE to BAD. Now when I try to connect the specified certificate
>> is rejected because there is no trusted ca for this certificate.
> Certificates as separate files are not supported any more, they need to
> be in nss db.

Sorry for the misleading, the certificates are in the nss db. We use the 
filename as nickname for historical reasons ;)

certutil -L -d sql:/etc/ipsec.d/

Certificate Nickname                                         Trust 

/etc/ipsec.d/server.crt                                      u,u,u
4CA6C897978F631DDF19B4E762EC717DF1E40D56                     P,,

So it seems the simple solution is to set the default back to TRUE (see 
attached patch).
The log message could be changed to a debug message, because it can be 
confusing (see attached log).

Sep  6 09:33:54 d1 pluto[22614]: 
"server_0-test_sn-sn_192.168.11.1/32-" #2: X509: no trust 
anchor available for verification
Sep  6 09:33:54 d1 pluto[22614]: 
"server_0-test_sn-sn_192.168.11.1/32-" #2: X509: 
Certificate not verified

But I'm wondering why the testsuite didn't catch this problem. There are 
several tests with rightcert=east.
Are the ca certificates also present in these tests?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.21-fix_conn_without_ca.patch
Type: text/x-patch
Size: 911 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170906/8f3090f1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.21-fixed.log
Type: text/x-log
Size: 9560 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170906/8f3090f1/attachment-0001.bin>

More information about the Swan-dev mailing list