[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(racoon 539) Re: [Ipsec-tools-devel] Re: authentication bug in KAME's racoon (fwd)
- To: racoon@kame.net
- Subject: (racoon 539) Re: [Ipsec-tools-devel] Re: authentication bug in KAME's racoon (fwd)
- From: Shoichi Sakane <sakane@kame.net>
- Date: Wed, 16 Jun 2004 21:12:17 +0900
- Cc: bbuesker@qualcomm.com, ipsec-tools-devel@lists.sourceforge.net
- Delivered-to: racoon-archive@kame.net
- Delivered-to: racoon-outgo@kame.net
- Delivered-to: racoon@kame.net
- In-reply-to: Your message of "Tue, 15 Jun 2004 17:25:35 +0200 (CEST)" <Pine.LNX.4.53.0406151719430.1448@maxipes.logix.cz>
- References: <Pine.LNX.4.53.0406151719430.1448@maxipes.logix.cz>
- Reply-to: racoon@kame.net
- Sender: owner-racoon@kame.net
I have imported the fix from ipsec-tools into the kame repository.
Can anyone check it on *BSD if it works or not ?
> Anyway, IPsec-tools 0.3.3 are out with the following behaviour:
>
> It only allows (but still warns) that CRL for the cert is unavailable for
> certificates obtained from the IKE payload. All other problems are treated
> as errors and ISAKMP negotiation fails.
>
> For locally available certs (via peers_certfile statement) the rules are
> more relaxed and because the certificate can be trustfully verified it is
> allowed that it is expired, self-signed or "for other puropse". The
> verification still succeeds but emits a warning.