[Vpn-help] Chain verification on server certificate?

[Matthew Grooms]

On 4/20/2007, "Tai-hwa Liang" <avatar at mmlab.cse.yzu.edu.tw> wrote:
>Hi,
>

Hello,

>   I'm using ShrewSoft VPN client 1.1.0 to connect a ipsec-tools-0.6.7
>gateway.  It appears to me that the IPSec daemon failed to verify remote
>certificate(Mutual RSA) since the server certificate in question was
>signed by another non-self-signed CA; that is, the certification
>path is: root CA -> level 1 CA -> level 2 CA -> server certificate.
>

Thanks for testing out the client. The first thing I would like to
mention is that the 1.x branch is no longer being developed. The second
2.0 beta will be released within a few days. Any bug fixes or testing
will need to be performed using these new releases.

>   I have tried to specify either root CA, L1 CA or L2 CA's certificate
>in "Server Certificate Authority File." Unfortunately none of them
>worked for me.  In addition to that, I also tried to specify a .p12
>file which includes the complete certificate chain(root, L1 & L2 CA)
>but this didn't work as expected.
>

This is a scenario I hadn't considered. The client configuration
semantics may need to change a bit to support certificate chains.

>   If I remembered correctly, OpenSSL supports chain verification
>through adding hashed directory(X509_LOOKUP_add_dir()).  I'm wondering
>about how to get Shrew VPN Client to support chain verification on
>server certificate?
>

There may be some issues with the certificate verification code that will
require some modifications to support this. I think there is still
enough time to get these fixes into the 2.0 final release.
Unfortunately, I don't have a setup like this so I will need someone to
verify that the changes I make will fix the issue you identified. Would
you be willing to test some private beta builds?

Thanks for the feedback,

-Matthew