[Swan] no EE-cert in chain Issue

Tuomo Soini tis at foobar.fi
Thu Apr 6 14:16:43 EEST 2023


On Thu, 6 Apr 2023 16:00:31 +0530
Gayathri Manoj <gayathri.annur at gmail.com> wrote:

> Hi All,
> 
> We have upgraded the libreswan version from 3.20 to 3.25 and  getting
> the below errors.
> 
> " Mar 31 00:03:21.870077: "71170605222_x509" #1672: X509: *no EE-cert
> in chain!*
> Mar 31 00:03:21.870105: "71170605222_x509" #1672: X509: *Certificate
> rejected for this connection*
> Mar 31 00:03:21.870119: "71170605222_x509" #1672: X509: CERT payload
> bogus or revoked
> Mar 31 00:03:21.870151: "71170605222_x509" #1672: sending encrypted
> notification INVALID_ID_INFORMATION to 10.77.32.99:500"
> 
> In our cert is having the below extension
> 
> *X509v3 Basic Constraints: critical
> *
> 
> *        CA:TRUE*
> 
> Please let us know is it due to our certificate issue.  With the same
> certificate it worked for the system where the libreswan version is
> 3.20.
> When we upload the CA signed certificate with web server template then
> no issues.
> 
> Please let us know is it due to libreswan limitation or the
> certificate issue.

Self-signed certificates (CA-certificates) should not be used as vpn
certificates. You should use proper server/client certificates
instead.

Older versions of libreswan don't have same level of certificate
verification as later ones.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>


More information about the Swan mailing list