On Mon, 14 Jun 2004, Thomas Walpuski wrote: > If OpenSSL fails on verifying the certificate, because it is expired, > self-signed, signed by an inappropriate CA, not allowed for that > purpose or the certificate chain is too long, racoon does not care > about that and declares the verification successful. I dare to say > that is brain dead. Next time you may dare to contact the developers first... Anyway, the linux port of racoon distributed in the IPsec-tools package (http://ipsec-tools.sourceforge.net) is fixed. The new version is IPsec-tools 0.3.3 and can be downloaded here: http://sourceforge.net/project/showfiles.php?group_id=74601&package_id=74949&release_id=245982 Currently it only allows (but still warns) that CRL for the cert is unavailable for certificates obtained from the IKE payload. All other problems are treated as errors and ISAKMP negotiation fails. For locally available certs (via peers_certfile statement) the rules are more relaxed and because the certificate can be trustfully verified it is allowed that it is expired, self-signed or "for other puropse". The verification still succeeds but emits a warning. Vendors are encouraged to update their packages. Regards, Michal Ludvig -- * A mouse is a device used to point at the xterm you want to type in. * Personal homepage - http://www.logix.cz/michal
