[Openswan Users] Patch: RSA signature authentication with self-signed X509 certificates
Dejan Bogdanović
dejan.bogdanovic at datatek.rs
Thu Jul 1 09:27:56 EDT 2010
Hi all,
I recently stumbled upon a strange problem.
I was trying to make a VPN with rsasig authentication using self-signed
x509 certificates between
CentOS 5.5 server with OpenSWAN 2.6.27 (built from source) and Windows
XP client with
TheGreenBow VPN client (v. 4.65.003).
Everything kept failing with strange errors, and after 3 days of digging
I've foud out why:
Function trusted_ca in x509chain.c always returns FALSE if root ca is
self-signed one.
Therefore, authentication fails if you are using self-signed
certificates. I've made a little patch that can help:
x509chain.patch:
-----------------------------------------------------------------------------------------------------------------
--- x509chain.c.old 2010-07-01 12:18:02.000000000 +0200
+++ x509chain.c 2010-07-01 12:34:41.000000000 +0200
@@ -291,7 +291,7 @@
x509cert_t *cacert = get_authcert(a, empty_chunk, empty_chunk,
AUTH_CA);
/* cacert not found or self-signed root cacert-> exit */
- if (cacert == NULL || same_dn(cacert->issuer, a))
+ if (cacert == NULL)
break;
/* does the issuer of CA a match CA b? */
-----------------------------------------------------------------------------------------------------------------
Apply this against openswan-2.6.27/lib/libopenswan/x509chain.c , rebuild
everything, and it should work.
Is there a better way around instead of this?
Dejan B.
More information about the Users
mailing list