[Vpn-help] Chain verification on server certificate?
Tai-hwa Liang
avatar at mmlab.cse.yzu.edu.tw
Thu Apr 19 09:00:20 CDT 2007
Hi,
I'm using ShrewSoft VPN client 1.1.0 to connect a ipsec-tools-0.6.7
gateway. It appears to me that the IPSec daemon failed to verify remote
certificate(Mutual RSA) since the server certificate in question was
signed by another non-self-signed CA; that is, the certification
path is: root CA -> level 1 CA -> level 2 CA -> server certificate.
I have tried to specify either root CA, L1 CA or L2 CA's certificate
in "Server Certificate Authority File." Unfortunately none of them
worked for me. In addition to that, I also tried to specify a .p12
file which includes the complete certificate chain(root, L1 & L2 CA)
but this didn't work as expected.
If I remembered correctly, OpenSSL supports chain verification
through adding hashed directory(X509_LOOKUP_add_dir()). I'm wondering
about how to get Shrew VPN Client to support chain verification on
server certificate?
Following are the relevant protocol traces which probably be useful:
## : IPSEC Daemon, ver 1.1.0
## : Copyright 2006 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : rebuilding vprot interface list ...
ii : interface IP=192.168.22.2, MTU=1500, MAC=00:80:c8:38:13:49 active
ii : 1 adapter(s) active
[...]
ii : peerid match ( cert check only )
ii : src = /C=TW/ST=Taiwan/O=Company/CN=vpn.company.com/emailAddress=root at company.com
ii : local nat traversal is disabled
ii : unable to get issuer certificate(2) at depth:1
ii : subject :/C=TW/ST=Taiwan/O=Company/CN=Company Level 2 Certification Authority
!! : unable to verify remote peer certificate
ii : sent peer notification, AUTHENTICATION-FAILED
[...]
DB : phase1 sa deleted after expire time
DB : removing all tunnel refrences
ii : client ctrl thread exit ...
XX | ike packet from 59.104.108.179 ignored
XX | no tunnel defined for peer
XX | ike packet from 59.104.108.179 ignored
XX | no tunnel defined for peer
--
Cheers,
Tai-hwa Liang
More information about the vpn-help
mailing list