[Openswan Users] Certificate rejected but IPsec SA established

Paul Wouters paul at xelerance.com
Wed Mar 7 13:46:18 EST 2007 

On Wed, 7 Mar 2007, Toby Chamberlain wrote:

>
> Is this the expected result when dealing with a self-signed certificate?
>
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: responding to Main Mode
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: transition from state
> (null) to state STATE_MAIN_R1
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: NAT-Traversal: Result
> using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: Peer ID is
> ID_DER_ASN1_DN: 'C=xx, ST=xx, L=xx, O=xx, CN=xx, E=xx'
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: end certificate with
> identical subject and issuer not accepted
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: X.509 certificate
> rejected
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: I am sending my cert
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Mar  7 10:06:19 left pluto[23382]: "left-right" #21: sent MR3, ISAKMP SA
> established
> Mar  7 10:06:19 left pluto[23382]: "left-right" #22: responding toQuick Mode
> Mar  7 10:06:20 left pluto[23382]: "left-right" #22: transition from state
> (null) to state STATE_QUICK_R1
> Mar  7 10:06:20 left pluto[23382]: "left-right" #22: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> Mar  7 10:06:20 left pluto[23382]: "left-right" #22: IPsec SA established
> {ESP=>0x0xxxxxx <0x0xxxxxx}
>
> I get the error message "X.509 certificate rejected" because the subject and
> issuer are the same as the cacert, but the connection continues and a tunnel
> is created. Shouldn't the connection be refused if the certificate is
> rejected?

Yes it should. Did you use leftcert= and rightcert=? If so, then the whole CA
checking is not used, and the certificates are implictely trusted when loaded
from disk.

If you did load both certificates on both ends, then I'd love to see
an ipsec barf and ipsec auto --listall at a freshly started openswan,
and after you have a connection established to confirm this as a bug.

We do have a bug assigned that we need a testcase for this, but it hasn't
been written yet :(

Paul
> Toby
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list