[vpn-help] Unable to verify remote peer certificate
Michael
shrewlist at encambio.com
Fri Apr 16 04:16:19 CDT 2010
Hello Tai-hwa,
On Fri., Apr 16, 2010, Tai-hwa Liang wrote:
> On Wed, 31 Mar 2010, Michael wrote:
>> ii : unable to get local issuer certificate(20) at depth:0
>> ii : subject :/CN=name.host.tld
>> !! : unable to verify remote peer certificate
>>
>> The host 'name.host.tld' is in the SubjectAltName of the X.509
>> certificate loaded on the ike v1 server m0n0wall 1.31. I have
>> concatanated the root and intermediate CA certificates of
>> CaCert.org to the file 'cacert-combi.pem':
>>
>> s:ident-server-type:asn1dn
>> s:auth-server-cert:/home/username/.ike/certs/cacert-combi.pem
>> s:auth-client-cert:/home/username/.ike/certs/myclienthost-cacert-rsa-4096-crt.pem
>> s:auth-client-key:/home/username/.ike/keys/myclienthost-cacert-rsa-4096-key.pem
>>
>> What can be the problem?
>>
> The default verification facility in UN*X version of Shrew VPN
> doesn't support multiple levels of CAs. I've submitted a patch
> a few years ago which should be able to workaround this problem.
>
That's great, so I suppose you had the same problem yourself? After
testing your patch I'll let you know if it solves the problem I
described.
> Since the attached patch was for 2.1.0 release, you're likely
> to have to resolve possible conflict after applying it to recent
> release.
>
No problem I'll carefully integrate the patch into the most recent
release. That's too bad that the Shrew developers don't want to
support CA cert chaining. Very strange.
Regards,
Michael
More information about the vpn-help
mailing list