Discussion:
iked does not recognize ikectl certificate
Lorenz Jiha
2021-03-18 22:25:22 UTC
Permalink
Hi,

I'm using iked since a few years with certificate authentication for my
roadwarrior linux without any trouble.

I took a 6.8 fresh install and used classically ikectl to generate a new CA
and certificates.

But when I try to connect to the OBSD iked, authentication is refused for
my client with this message :
ca_validate_cert: /C=FR/ST=France/L=Paris/O=XXX rejecting self-signed
certificate

if I syspatch the server, the error message become :

ca_validate_cert: /C=FR/ST=France/L=Paris/O=XXX unsupported or invalid name
syntax

If I restart from a 6.7 box, and generate my certificate, everything is OK
but if I upgrade to 6.8, same behavior.

Has anyone met the same behavior ?

Thanks
Theo Buehler
2021-03-19 19:20:41 UTC
Permalink
Post by Lorenz Jiha
Hi,
I'm using iked since a few years with certificate authentication for my
roadwarrior linux without any trouble.
I took a 6.8 fresh install and used classically ikectl to generate a new CA
and certificates.
But when I try to connect to the OBSD iked, authentication is refused for
ca_validate_cert: /C=FR/ST=France/L=Paris/O=XXX rejecting self-signed
certificate
ca_validate_cert: /C=FR/ST=France/L=Paris/O=XXX unsupported or invalid name
syntax
This is manifestly caused by the new name constraints code that is part
of the new x509 verifier shipped in 6.8. The syspatch changed back to
using the old verifier code, but keeps using the new name constraints
code. That's why the error changed - "rejecting self-signed certificate"
is a catch-all used in iked.

It would be helpful if you could generate a new certificate and share
this (off-list if you prefer) so that we can look at precisely what
causes the issue.
Post by Lorenz Jiha
If I restart from a 6.7 box, and generate my certificate, everything is OK
but if I upgrade to 6.8, same behavior.
Has anyone met the same behavior ?
Thanks
Loading...