[Swan-dev] commit 9bc2e4e7f61 broke self-signed certs
Paul Wouters
paul at nohats.ca
Wed Nov 13 02:01:52 UTC 2019
On Tue, 12 Nov 2019, Andrew Cagney wrote:
> as in ...
>
> conn westnet-eastnet-x509
> ikev2=no
> also=westnet
> also=eastnet
> left=192.1.2.45
> leftcert=west
> leftid=%fromcert
> right=192.1.2.23
> rightid=%fromcert
> rightcert=east
Yes.
>> I still think this check should go away.
>
> After checking that there are root certs, the code:
>
> - creates a list of certs sent over the wire
> - feeds this untrusted list + the root into CERT_PKIXVerifyCert() with:
>
> {
> .type = cert_pi_trustAnchors,
> .value = { .pointer = { .chain = trustcl } }
> },
> {
> .type = cert_pi_useOnlyTrustAnchors,
> .value = { .scalar = { .b = PR_TRUE } }
> },
>
> so if there's no root, or the only root is wrong, how can this pass?
> See lib/certdb/certt.h
Looking at the logs of x509-pluto-05, the code never calls
verify_end_cert(). I made an ikev2 version of this test,
ikev2-x509-pluto-05 and it too never calls verify_end_cert()
It does call find_and_verify_certs() which calls get_root_certs()
Changing west to use the cert "road" properly fails:
loading root certificate cache
"westnet-eastnet-x509" #1: No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.
"westnet-eastnet-x509" #1: certificate subjectAltName extension does not match ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org'
"westnet-eastnet-x509" #1: Peer ID 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road at testing.libreswan.org' mismatched on first found connection and no better connection found
"westnet-eastnet-x509" #1: responding to IKE_AUTH message (ID 1) from 192.1.2.45:500 with encrypted notification AUTHENTICATION_FAILED
Paul
More information about the Swan-dev
mailing list