[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 529) Re: How to prevent racoon from accepting unknown self-signed certificates?

To: racoon@kame.net
Subject: (racoon 529) Re: How to prevent racoon from accepting unknown self-signed certificates?
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Sun, 06 Jun 2004 19:23:41 +0200
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgo@kame.net
Delivered-to: racoon@kame.net
In-reply-to: Your message of Sun, 06 Jun 2004 13:06:30 +0200. <6.1.1.1.2.20040606124711.01d695a0@10.0.0.1>
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

 In your previous mail you wrote:

   abstract:
   - racoon accepts unknown self-signed certificates
   - how can racoon be configured to deny those?
   
=> it can't be configured but you can patch the source to remove
this feature :
in crypto_openssl.c function cb_check_cert() remove the case for
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ...
   
   i am pretty sure that this is not the way it's intended to work :o)
   
=> i'm not (:-)

Regards

Francis.Dupont@enst-bretagne.fr

PS: of course you can configure only all possible peers but this is
painful and perhaps you'd like to make racoon refusing some other
common X.509 cert warning... BTW look at the verify command doc for
a description of how OpenSSL X509_verify_cert() works.

References:
- (racoon 528) How to prevent racoon from accepting unknown self-signed certificates?
  - From: HMeyer <list-999-exp@sblk.de>

Prev by Date: (racoon 528) How to prevent racoon from accepting unknown self-signed certificates?
Next by Date: (racoon 530) Configuration reload and existing tunnels
Previous by thread: (racoon 528) How to prevent racoon from accepting unknown self-signed certificates?
Next by thread: (racoon 530) Configuration reload and existing tunnels
Index(es):
- Date
- Thread