[Openswan Users] FreeSwan query.
Andreas Steffen
andreas.steffen at strongsec.net
Wed Nov 3 18:25:46 CET 2004
You probably load the peer certificate locally with
rightcert=peerCert.pem
In that case direct trust in the peer certificate is established
and the trust chain up to the root certificate is not followed.
Additionally the peer sends its certificate via the IKE protocol.
In this case the trust chain is followed but no issuer certificate
is found. Hence an error message is issued and the received
certificate is rejected. But because the cert has already been
loaded locally, the connection can nevertheless be established.
Regards
Andreas
Vinod Chandran wrote:
> Hi,
>
> In Free SWAN, when X.509 certificates are used for setting up
> connections, in case of X.509 certificate getting rejected( say when the
> issuer CA is not found), the SA is still allowed to get established.
>
> Is this a bug or is there a reasoning behind this operation?
> Does OpenSwan allow the same?
>
> Thanks in advance,
> Regards,
> Vinod C
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list