[Vpn-help] Chain verification on server certificate?

Tai-hwa Liang avatar at mmlab.cse.yzu.edu.tw
Sat Apr 21 06:22:22 CDT 2007 

On Fri, 20 Apr 2007, Matthew Grooms wrote:
>
> On 4/20/2007, "Tai-hwa Liang" <avatar at mmlab.cse.yzu.edu.tw> wrote:
>> Hi,
>>
>
> Hello,
>
>>   I'm using ShrewSoft VPN client 1.1.0 to connect a ipsec-tools-0.6.7
>> gateway.  It appears to me that the IPSec daemon failed to verify remote
>> certificate(Mutual RSA) since the server certificate in question was
>> signed by another non-self-signed CA; that is, the certification
>> path is: root CA -> level 1 CA -> level 2 CA -> server certificate.
>>
>
> Thanks for testing out the client. The first thing I would like to
> mention is that the 1.x branch is no longer being developed. The second
> 2.0 beta will be released within a few days. Any bug fixes or testing
> will need to be performed using these new releases.

   Understood.  Will try to give 2.0 branch a try. Hope that will fix
the .vpn importing bug I observed in 1.1.0.

>>   I have tried to specify either root CA, L1 CA or L2 CA's certificate
>> in "Server Certificate Authority File." Unfortunately none of them
>> worked for me.  In addition to that, I also tried to specify a .p12
>> file which includes the complete certificate chain(root, L1 & L2 CA)
>> but this didn't work as expected.
>>
> This is a scenario I hadn't considered. The client configuration
> semantics may need to change a bit to support certificate chains.
>
>>   If I remembered correctly, OpenSSL supports chain verification
>> through adding hashed directory(X509_LOOKUP_add_dir()).  I'm wondering
>> about how to get Shrew VPN Client to support chain verification on
>> server certificate?
>>
> There may be some issues with the certificate verification code that will
> require some modifications to support this. I think there is still
> enough time to get these fixes into the 2.0 final release.
>
> Unfortunately, I don't have a setup like this so I will need someone to
> verify that the changes I make will fix the issue you identified. Would
> you be willing to test some private beta builds?

   Sure.  Feel free to point me the downloading URL. :)

> Thanks for the feedback,

   Out of curiosity, is that any plan to support Windows built cert/key
store in the upcoming release such that users don't have to keep
duplicated key/cert(for example, people who use Windows XP builtin 
EAP-TLS already have to import their own key/cert into Windows cert/key
database) in different places and possibily to utilise off-line storages
such like smart cards?

-- 
Thanks,

Tai-hwa Liang

More information about the vpn-help mailing list