On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote: > I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD > 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0. >
Some more information on this and possibly a real question: Here's the logs from the OpenBSD 5.8 machine: 130142.003702 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/ 130142.004443 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/Readme.md 130142.004825 Default x509_read_from_dir: PEM_read_X509 failed for /etc/isakmpd/ca/Readme.md 130142.004921 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/ca.crt 130142.006237 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/root.crt 130142.007072 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/sign.crt 130142.008005 Cryp 50 x509_read_from_dir: X509_STORE_add_cert failed for /etc/isakmpd/ca/sign.crt 130142.008133 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/certs/ The intermediate cert: .../ca/sign.crt is an x509 CA cert which is signed by .../ca/root.crt yet X509_STORE_add_cert fails to add it to the chain. I'm expecting sign.crt to be accepted because it's issued by root.crt. Q: Is X509_STORE_add_cert trying to build a chain or is it expecting a list of self-signed root certificates? -- Chris
