[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 539) Re: [Ipsec-tools-devel] Re: authentication bug in KAME's racoon (fwd)



I have imported the fix from ipsec-tools into the kame repository.
Can anyone check it on *BSD if it works or not ?

> Anyway, IPsec-tools 0.3.3 are out with the following behaviour:
> 
> It only allows (but still warns) that CRL for the cert is unavailable for
> certificates obtained from the IKE payload. All other problems are treated
> as errors and ISAKMP negotiation fails.
> 
> For locally available certs (via peers_certfile statement) the rules are
> more relaxed and because the certificate can be trustfully verified it is
> allowed that it is expired, self-signed or "for other puropse". The
> verification still succeeds but emits a warning.