[Vpn-help] Chain verification on server certificate?
Matthew Grooms
mgrooms at shrew.net
Fri Apr 20 05:24:58 CDT 2007
On 4/20/2007, "Tai-hwa Liang" <avatar at mmlab.cse.yzu.edu.tw> wrote:
>Hi,
>
Hello,
> I'm using ShrewSoft VPN client 1.1.0 to connect a ipsec-tools-0.6.7
>gateway. It appears to me that the IPSec daemon failed to verify remote
>certificate(Mutual RSA) since the server certificate in question was
>signed by another non-self-signed CA; that is, the certification
>path is: root CA -> level 1 CA -> level 2 CA -> server certificate.
>
Thanks for testing out the client. The first thing I would like to
mention is that the 1.x branch is no longer being developed. The second
2.0 beta will be released within a few days. Any bug fixes or testing
will need to be performed using these new releases.
> I have tried to specify either root CA, L1 CA or L2 CA's certificate
>in "Server Certificate Authority File." Unfortunately none of them
>worked for me. In addition to that, I also tried to specify a .p12
>file which includes the complete certificate chain(root, L1 & L2 CA)
>but this didn't work as expected.
>
This is a scenario I hadn't considered. The client configuration
semantics may need to change a bit to support certificate chains.
> If I remembered correctly, OpenSSL supports chain verification
>through adding hashed directory(X509_LOOKUP_add_dir()). I'm wondering
>about how to get Shrew VPN Client to support chain verification on
>server certificate?
>
There may be some issues with the certificate verification code that will
require some modifications to support this. I think there is still
enough time to get these fixes into the 2.0 final release.
Unfortunately, I don't have a setup like this so I will need someone to
verify that the changes I make will fix the issue you identified. Would
you be willing to test some private beta builds?
Thanks for the feedback,
-Matthew
More information about the vpn-help
mailing list