[Openswan Users] Patch: RSA signature authentication with self-signed X509 certificates
Paul Wouters
paul at xelerance.com
Sun Jul 4 17:07:03 EDT 2010
On Thu, 1 Jul 2010, Dejan Bogdanović wrote:
> I recently stumbled upon a strange problem.
>
> I was trying to make a VPN with rsasig authentication using self-signed
> x509 certificates between
> CentOS 5.5 server with OpenSWAN 2.6.27 (built from source) and Windows
> XP client with
> TheGreenBow VPN client (v. 4.65.003).
>
> Everything kept failing with strange errors, and after 3 days of digging
> I've foud out why:
>
> Function trusted_ca in x509chain.c always returns FALSE if root ca is
> self-signed one.
>
> Therefore, authentication fails if you are using self-signed
> certificates. I've made a little patch that can help:
>
> x509chain.patch:
> -----------------------------------------------------------------------------------------------------------------
>
> --- x509chain.c.old 2010-07-01 12:18:02.000000000 +0200
> +++ x509chain.c 2010-07-01 12:34:41.000000000 +0200
> @@ -291,7 +291,7 @@
> x509cert_t *cacert = get_authcert(a, empty_chunk, empty_chunk,
> AUTH_CA);
>
> /* cacert not found or self-signed root cacert-> exit */
> - if (cacert == NULL || same_dn(cacert->issuer, a))
> + if (cacert == NULL)
> break;
>
> /* does the issuer of CA a match CA b? */
>
> -----------------------------------------------------------------------------------------------------------------
I think you just did not have the CAcert in /etc/ipsec.d/cacerts/
this hack may work around your issue, but it is not the right fix. The righ
fix is to make the CAcert available. It should show up in ipsec auto ---listall
Paul
More information about the Users
mailing list