[vpn-help] Unable to verify remote peer certificate

[Matthew Grooms]

On 4/20/2010 6:38 AM, Tai-hwa Liang wrote:
>>
>> I don't believe concatenating the certificate files together will have
>> any effect. A lot of work was done between 2.1.4 and 2.1.6 to handle a
>> multi-certificate chain to be interpreted correctly when received from
>> the peer during phase1 negotiations. And on the windows platform, we
>> have a special directory where a user can drop additional certificates
>> that are used as intermediates during certificate verification. But on
>> Linux/BSD, there is no analog to this.
>
> Did you try the attached patch I've sent you a few years ago? I believe
> it supports chained/concatnated certificate inside a single .pem file.
> Even better, it also supports .p12 file that includes user's key pair and
> complete CA certificate chain.
>
> Given that this patch only utilises standard OpenSSL APIs, it should be
> portable amongst WIN32 and UN*X Shrew VPN implementations.
>
>> I think we need to allow a certificate directory to be passed instead of
>> a single certificate file. This will allow a client to configure a group
>> of certificate files that can be used for chained authentication.
>> Unfortunately, I don't have time to do this at the moment. This should
>> be completed before 2.2.0 release. Sorry I can't be more help at this
>> time.
>
> IMHO, the problem in directory based certificate storage is that there're
> multiple directories which can be confusing to users. I've run into this
> in 2.1.0(not sure if it is fixed in recent release) since I put the
> chained .pem into 'My Document/Shrew .../certificate' rather than
> 'Program Files/Shrew VPN/certificate.' The former path didn't seem to be
> in ShrewVPN's default ceritificate search path and thus caused failure
> in subsequent server certificate verification process.

Thanks for reminding me of your patch. I'll try to have a closer look at 
this in the coming week.

-Matthew