You are the second user reporting the use of CERT_PKCS7_WRAPPED_X509
certificate payloads by Windows XP. And now it seems that this format
is chosen in the presence of multi-level X.509 trust chains. So I think
we must do something about this and offer some support in future
versions of the X.509 patch.
Since I don't have an XP installation readily available, could you
please send me a log with plutodebug=all set in ipsec.conf, containing
the part where the PKCS#7 certificate is transmitted? I think that my
ASN.1 parser has become flexible enough that with little additional
effort it might be possible to parse the PKCS#7 certificate format.
Regards
Andreas
Mikael Lönnroth wrote:
>
> Hellos,
>
> I (by accident) happened to try to connect to FreeS/WAN using native Windows
> XP IPsec. The certificate setup:
>
> Root CA
> |
> Company CA (signed by Root CA)
> |
> User CA (signed by Company CA)
>
> Now, please correct me if I am wrong, but it seems that XP sends the public
> key(s) using a PKCS#7 structure when using a CA + Sub-CA. This will result
> in the following:
>
> Apr 8 08:26:49 vpnserve Pluto[2188]: "standard_REMOTE_31_1" 1.2.3.4 #4:
> ignoring CERT_PKCS7_WRAPPED_X509 certificate payload
>
> ... which effectively stops the negotiation.
>
> Am I correct in my assumptions?
>
> Kindly,
> Mikael Lönnroth
>
> gml_at_advancevpn.com
> http://www.advancevpn.com
>
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zuerichweg 20 fax: +41 52 268 74 34
CH-8952 Schlieren (Switzerland) web: http://www.strongsec.com
======================================================================
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:50 CEST