[Swan] no EE-cert in chain Issue

Paul Wouters paul at nohats.ca
Thu Apr 6 17:53:16 EEST 2023


On Apr 6, 2023, at 07:17, Tuomo Soini <tis at foobar.fi> wrote:
> 
> On Thu, 6 Apr 2023 16:00:31 +0530
> Gayathri Manoj <gayathri.annur at gmail.com> wrote:
> 
>> Hi All,
>> 
>> We have upgraded the libreswan version from 3.20 to 3.25 and  getting
>> the below errors.
>> 
>> " Mar 31 00:03:21.870077: "71170605222_x509" #1672: X509: *no EE-cert
>> in chain!*
>> Mar 31 00:03:21.870105: "71170605222_x509" #1672: X509: *Certificate
>> rejected for this connection*
>> Mar 31 00:03:21.870119: "71170605222_x509" #1672: X509: CERT payload
>> bogus or revoked
>> Mar 31 00:03:21.870151: "71170605222_x509" #1672: sending encrypted
>> notification INVALID_ID_INFORMATION to 10.77.32.99:500"
>> 
>> In our cert is having the below extension
>> 
>> *X509v3 Basic Constraints: critical
>> *
>> 
>> *        CA:TRUE*

This means the certificate is a CA cert (aka  self-signed ) - it is not an end certificate (EE)

>> 
>> Please let us know is it due to our certificate issue.  With the same
>> certificate it worked for the system where the libreswan version is
>> 3.20.
>> When we upload the CA signed certificate with web server template then
>> no issues.
>> 
>> Please let us know is it due to libreswan limitation or the
>> certificate issue.
> 
> Self-signed certificates (CA-certificates) should not be used as vpn
> certificates. You should use proper server/client certificates
> instead.
> 
> Older versions of libreswan don't have same level of certificate
> verification as later ones.

Indeed, although if you load these certificates on both sides with leftcert= and rightcert= , I believe it will work as it won’t validate the cert since it’s hard coded.

It does mean both sides must add both certificates to their nss certificate store.

Paul

> 
> -- 
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list