[Openswan Users] X.509 certificate rejected - but allowing connection

Clive cas.swan at xentech.co.uk
Mon Apr 27 10:56:08 EDT 2015


I think this is an old, old bug that still seems to be in the current code.

I have a road-warrior user who is able to use a certificate that has expired.
pluto reports the certificate rejection, but then carries on and enables the

pluto[393]: "road1"[8] xx.xx.xx.xx #468: checking validity of "C=GB, ...
pluto[393]: "road1"[8] xx.xx.xx.xx #468: X.509 certificate rejected
pluto[393]: "road1"[8] xx.xx.xx.xx #468: switched from "road1" to "road2"

I had an old version of openswan running on another system and it also saw the 
same issue.

verify_x509cert() correctly detects the cert is invalid. decode_cert() then 
reports that, but for some reason that does not seem to get passed to the 
calling code.

I can't see how that invalid result is supposed to be passed back since
decode_cert() is declared void.

What is possibly a factor in this case is that the server _does_ have a valid 
cert for this user. But the user is still able to use the expired, invalid copy. 
In all other respects the system works (and has done for many years).

If anyone can give me a pointer to how the invalid cert information is supposed 
to be detected in decode_peer_id() it would help.


More information about the Users mailing list