[Openswan Users] Re: authentication bug in KAME's racoon (fwd)
Paul Wouters
paul at xtdnet.nl
Tue Jun 15 23:37:48 CEST 2004
---------- Forwarded message ----------
Date: Tue, 15 Jun 2004 17:17:25 +0200 (CEST)
From: Michal Ludvig <michal at logix.cz>
Cc: bugtraq at securityfocus.com, vendor-sec at lst.de
To: thomas at unproved.org
Subject: Re: authentication bug in KAME's racoon
On Mon, 14 Jun 2004, Thomas Walpuski wrote:
> If OpenSSL fails on verifying the certificate, because it is expired,
> self-signed, signed by an inappropriate CA, not allowed for that
> purpose or the certificate chain is too long, racoon does not care
> about that and declares the verification successful. I dare to say
> that is brain dead.
Next time you may dare to contact the developers first...
Anyway, the linux port of racoon distributed in the IPsec-tools package
(http://ipsec-tools.sourceforge.net) is fixed. The new version is
IPsec-tools 0.3.3 and can be downloaded here:
http://sourceforge.net/project/showfiles.php?group_id=74601&package_id=74949&release_id=245982
Currently it only allows (but still warns) that CRL for the cert is
unavailable for certificates obtained from the IKE payload. All other
problems are treated as errors and ISAKMP negotiation fails.
For locally available certs (via peers_certfile statement) the rules are
more relaxed and because the certificate can be trustfully verified it is
allowed that it is expired, self-signed or "for other puropse". The
verification still succeeds but emits a warning.
Vendors are encouraged to update their packages.
Regards,
Michal Ludvig
--
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal
More information about the Users
mailing list