Re: [Users] x.509 Cert Patch with selfsigned certs

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Oct 28 2002 - 21:17:28 CET

• Next message: Joe Philipps: "Re: [Users] Q. about multiple networks behind Contivity and SAIDs/proposals"
• Previous message: Nate Carlson: "Re: [Users] Fwd: Building a new linux SOHO device with freeswan package"
• In reply to: Joshua Jackson: "[Users] x.509 Cert Patch with selfsigned certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes, the X.509 patch can work with self-signed certificates. They must
be loaded locally using the

   rightcert=

parameter. Direct trust is then put into the self-signed cert although
no CA certificate exists. Additionally the peer sends its self-signed
cert via the IKE protocol. The cert will be rejected since self-signed
certs are never accepted via the IKE protocol.But this does not matter
since the cert as already be loaded locally.

Regards

Andreas

Joshua Jackson wrote:
> Is it possible to use a self signed cert with the recent x.509 cert patches?
> During connection negotiation a message is displayed that the CA certificate
> can not be located and the the certificate has been rejected... the really
> odd this is that the tunnel will go ahead and connect. However, during
> re-keying additional errors are generated about an expired or unknown SA.
>
> I have found that if I use x.509 patch 0.9.15 on FreeSwan .98b on both
> systems, these errors are displayed, but the tunnels will remain intact. On
> mismatched versions of the x.509 cert patch, the tunnel will go dead during
> re-keying (it still show up, but will not pass traffic). In addition, if
> mismatched versions are used, attempting to restart the tunnel from one end
> without resetting FreeSwan on the other will result in Pluto pclose() error
> for pretty much every function in the _updown script (which has not been
> modified).
>
> In short, is it still possible to use self-signed certs with the x.509 cert
> patch? My current product uses OpenSSL to generate a self-signed cert that
> must be exchanged with other firewalls to establish the tunnel... I can
> rewrite this to require an external CA, but don't really want to :)
>
> Kernel version is 2.4.18.
>
> BTW - is anyone keeping a list of required external utilities? This is being
> used in an embedded system, so I try to keen things to a bare minimum. On
> that same note, it is possible to use any other shells besides the whopping
> 500K BASH? (I tried ASH and the scripts fail miserably).
>
> --
> Joshua Jackson
> jjackson_at_vortech.net
> http://www.coyotelinux.com

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Joe Philipps: "Re: [Users] Q. about multiple networks behind Contivity and SAIDs/proposals"
• Previous message: Nate Carlson: "Re: [Users] Fwd: Building a new linux SOHO device with freeswan package"
• In reply to: Joshua Jackson: "[Users] x.509 Cert Patch with selfsigned certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Oct 29 2002 - 05:20:31 CET