[Swan] no EE-cert in chain Issue
Paul Wouters
paul at nohats.ca
Thu Apr 6 17:53:16 EEST 2023
On Apr 6, 2023, at 07:17, Tuomo Soini <tis at foobar.fi> wrote:
>
> On Thu, 6 Apr 2023 16:00:31 +0530
> Gayathri Manoj <gayathri.annur at gmail.com> wrote:
>
>> Hi All,
>>
>> We have upgraded the libreswan version from 3.20 to 3.25 and getting
>> the below errors.
>>
>> " Mar 31 00:03:21.870077: "71170605222_x509" #1672: X509: *no EE-cert
>> in chain!*
>> Mar 31 00:03:21.870105: "71170605222_x509" #1672: X509: *Certificate
>> rejected for this connection*
>> Mar 31 00:03:21.870119: "71170605222_x509" #1672: X509: CERT payload
>> bogus or revoked
>> Mar 31 00:03:21.870151: "71170605222_x509" #1672: sending encrypted
>> notification INVALID_ID_INFORMATION to 10.77.32.99:500"
>>
>> In our cert is having the below extension
>>
>> *X509v3 Basic Constraints: critical
>> *
>>
>> * CA:TRUE*
This means the certificate is a CA cert (aka self-signed ) - it is not an end certificate (EE)
>>
>> Please let us know is it due to our certificate issue. With the same
>> certificate it worked for the system where the libreswan version is
>> 3.20.
>> When we upload the CA signed certificate with web server template then
>> no issues.
>>
>> Please let us know is it due to libreswan limitation or the
>> certificate issue.
>
> Self-signed certificates (CA-certificates) should not be used as vpn
> certificates. You should use proper server/client certificates
> instead.
>
> Older versions of libreswan don't have same level of certificate
> verification as later ones.
Indeed, although if you load these certificates on both sides with leftcert= and rightcert= , I believe it will work as it won’t validate the cert since it’s hard coded.
It does mean both sides must add both certificates to their nss certificate store.
Paul
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list