> If OpenSSL fails on verifying the certificate, because it is expired,
> self-signed, signed by an inappropriate CA, not allowed for that
> purpose or the certificate chain is too long, racoon does not care
> about that and declares the verification successful. I dare to say
> that is brain dead.
Next time you may dare to contact the developers first...
Anyway, the linux port of racoon distributed in the IPsec-tools package
(http://ipsec-tools.sourceforge.net) is fixed. The new version is
IPsec-tools 0.3.3 and can be downloaded here:
http://sourceforge.net/project/showfiles.php?group_id=74601&package_id=7
4949&release_id=245982
Currently it only allows (but still warns) that CRL for the cert is
unavailable for certificates obtained from the IKE payload. All other
problems are treated as errors and ISAKMP negotiation fails.
For locally available certs (via peers_certfile statement) the rules are
more relaxed and because the certificate can be trustfully verified it is
allowed that it is expired, self-signed or "for other puropse". The
verification still succeeds but emits a warning.
Vendors are encouraged to update their packages.
Regards,
Michal Ludvig
--
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal
> If OpenSSL fails on verifying the certificate, because it is expired,
> self-signed, signed by an inappropriate CA, not allowed for that
> purpose or the certificate chain is too long, racoon does not care
> about that and declares the verification successful. I dare to say
> that is brain dead.
Next time you may dare to contact the developers first...
Anyway, the linux port of racoon distributed in the IPsec-tools package
(http://ipsec-tools.sourceforge.net) is fixed. The new version is
IPsec-tools 0.3.3 and can be downloaded here:
http://sourceforge.net/project/showfiles.php?group_id=74601&package_id=7
4949&release_id=245982
Currently it only allows (but still warns) that CRL for the cert is
unavailable for certificates obtained from the IKE payload. All other
problems are treated as errors and ISAKMP negotiation fails.
For locally available certs (via peers_certfile statement) the rules are
more relaxed and because the certificate can be trustfully verified it is
allowed that it is expired, self-signed or "for other puropse". The
verification still succeeds but emits a warning.
Vendors are encouraged to update their packages.
Regards,
Michal Ludvig
--
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal
[ reply ]