[Openswan Users] FreeSwan query.

Andreas Steffen andreas.steffen at strongsec.net
Wed Nov 3 18:25:46 CET 2004


You probably load the peer certificate locally with

   rightcert=peerCert.pem

In that case direct trust in the peer certificate is established
and the trust chain up to the root certificate is not followed.

Additionally the peer sends its certificate via the IKE protocol.
In this case the trust chain is followed but no issuer certificate
is found. Hence an error message is issued and the received
certificate is rejected. But because the cert has already been
loaded locally, the connection can nevertheless be established.

Regards

Andreas

Vinod Chandran wrote:
> Hi,
> 
> In Free SWAN, when X.509 certificates are used for setting up 
> connections, in case of X.509 certificate getting rejected( say when the 
> issuer CA is not found), the SA is still allowed to get established.
> 
> Is this a bug or is there a reasoning behind this operation?
> Does OpenSwan allow the same?
> 
> Thanks in advance,
> Regards,
> Vinod C

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list