[Openswan Users] Patch: RSA signature authentication with self-signed X509 certificates

Dejan Bogdanović dejan.bogdanovic at datatek.rs
Thu Jul 1 09:27:56 EDT 2010

Hi all,

I recently stumbled upon a strange problem.

I was trying to make a VPN with rsasig authentication using self-signed 
x509 certificates between
CentOS 5.5 server with OpenSWAN 2.6.27 (built from source) and Windows 
XP client with
TheGreenBow VPN client (v. 4.65.003).

Everything kept failing with strange errors, and after 3 days of digging 
I've foud out why:

Function trusted_ca in x509chain.c always returns FALSE if root ca is 
self-signed one.

Therefore, authentication fails if you are using self-signed 
certificates. I've made a little patch that can help:


--- x509chain.c.old     2010-07-01 12:18:02.000000000 +0200
+++ x509chain.c 2010-07-01 12:34:41.000000000 +0200
@@ -291,7 +291,7 @@
         x509cert_t *cacert = get_authcert(a, empty_chunk, empty_chunk, 

         /* cacert not found or self-signed root cacert-> exit */
-       if (cacert == NULL || same_dn(cacert->issuer, a))
+       if (cacert == NULL)

         /* does the issuer of CA a match CA b? */


Apply this against openswan-2.6.27/lib/libopenswan/x509chain.c , rebuild 
everything, and it should work.

Is there a better way around instead of this?

Dejan B.

More information about the Users mailing list