On Thu, 6 Apr 2023 16:00:31 +0530 Gayathri Manoj <[email protected]> wrote:
> Hi All, > > We have upgraded the libreswan version from 3.20 to 3.25 and getting > the below errors. > > " Mar 31 00:03:21.870077: "71170605222_x509" #1672: X509: *no EE-cert > in chain!* > Mar 31 00:03:21.870105: "71170605222_x509" #1672: X509: *Certificate > rejected for this connection* > Mar 31 00:03:21.870119: "71170605222_x509" #1672: X509: CERT payload > bogus or revoked > Mar 31 00:03:21.870151: "71170605222_x509" #1672: sending encrypted > notification INVALID_ID_INFORMATION to 10.77.32.99:500" > > In our cert is having the below extension > > *X509v3 Basic Constraints: critical > * > > * CA:TRUE* > > Please let us know is it due to our certificate issue. With the same > certificate it worked for the system where the libreswan version is > 3.20. > When we upload the CA signed certificate with web server template then > no issues. > > Please let us know is it due to libreswan limitation or the > certificate issue. Self-signed certificates (CA-certificates) should not be used as vpn certificates. You should use proper server/client certificates instead. Older versions of libreswan don't have same level of certificate verification as later ones. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
