[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(racoon 539) Re: [Ipsec-tools-devel] Re: authentication bug in KAME's racoon (fwd)
- To: firstname.lastname@example.org
- Subject: (racoon 539) Re: [Ipsec-tools-devel] Re: authentication bug in KAME's racoon (fwd)
- From: Shoichi Sakane <email@example.com>
- Date: Wed, 16 Jun 2004 21:12:17 +0900
- Cc: firstname.lastname@example.org, email@example.com
- Delivered-to: firstname.lastname@example.org
- Delivered-to: email@example.com
- Delivered-to: firstname.lastname@example.org
- In-reply-to: Your message of "Tue, 15 Jun 2004 17:25:35 +0200 (CEST)" <Pine.LNX.email@example.com>
- References: <Pine.LNX.firstname.lastname@example.org>
- Reply-to: email@example.com
- Sender: firstname.lastname@example.org
I have imported the fix from ipsec-tools into the kame repository.
Can anyone check it on *BSD if it works or not ?
> Anyway, IPsec-tools 0.3.3 are out with the following behaviour:
> It only allows (but still warns) that CRL for the cert is unavailable for
> certificates obtained from the IKE payload. All other problems are treated
> as errors and ISAKMP negotiation fails.
> For locally available certs (via peers_certfile statement) the rules are
> more relaxed and because the certificate can be trustfully verified it is
> allowed that it is expired, self-signed or "for other puropse". The
> verification still succeeds but emits a warning.