[Openswan Users] X.509 certificate rejected - but allowing connection
cas.swan at xentech.co.uk
Mon Apr 27 10:56:08 EDT 2015
I think this is an old, old bug that still seems to be in the current code.
I have a road-warrior user who is able to use a certificate that has expired.
pluto reports the certificate rejection, but then carries on and enables the
pluto: "road1" xx.xx.xx.xx #468: checking validity of "C=GB, ...
pluto: "road1" xx.xx.xx.xx #468: X.509 certificate rejected
pluto: "road1" xx.xx.xx.xx #468: switched from "road1" to "road2"
I had an old version of openswan running on another system and it also saw the
verify_x509cert() correctly detects the cert is invalid. decode_cert() then
reports that, but for some reason that does not seem to get passed to the
I can't see how that invalid result is supposed to be passed back since
decode_cert() is declared void.
What is possibly a factor in this case is that the server _does_ have a valid
cert for this user. But the user is still able to use the expired, invalid copy.
In all other respects the system works (and has done for many years).
If anyone can give me a pointer to how the invalid cert information is supposed
to be detected in decode_peer_id() it would help.
More information about the Users