On Apr 6, 2023, at 07:17, Tuomo Soini <[email protected]> wrote: > > On Thu, 6 Apr 2023 16:00:31 +0530 > Gayathri Manoj <[email protected]> wrote: > >> Hi All, >> >> We have upgraded the libreswan version from 3.20 to 3.25 and getting >> the below errors. >> >> " Mar 31 00:03:21.870077: "71170605222_x509" #1672: X509: *no EE-cert >> in chain!* >> Mar 31 00:03:21.870105: "71170605222_x509" #1672: X509: *Certificate >> rejected for this connection* >> Mar 31 00:03:21.870119: "71170605222_x509" #1672: X509: CERT payload >> bogus or revoked >> Mar 31 00:03:21.870151: "71170605222_x509" #1672: sending encrypted >> notification INVALID_ID_INFORMATION to 10.77.32.99:500" >> >> In our cert is having the below extension >> >> *X509v3 Basic Constraints: critical >> * >> >> * CA:TRUE*
This means the certificate is a CA cert (aka self-signed ) - it is not an end certificate (EE) >> >> Please let us know is it due to our certificate issue. With the same >> certificate it worked for the system where the libreswan version is >> 3.20. >> When we upload the CA signed certificate with web server template then >> no issues. >> >> Please let us know is it due to libreswan limitation or the >> certificate issue. > > Self-signed certificates (CA-certificates) should not be used as vpn > certificates. You should use proper server/client certificates > instead. > > Older versions of libreswan don't have same level of certificate > verification as later ones. Indeed, although if you load these certificates on both sides with leftcert= and rightcert= , I believe it will work as it won’t validate the cert since it’s hard coded. It does mean both sides must add both certificates to their nss certificate store. Paul > > -- > Tuomo Soini <[email protected]> > Foobar Linux services > +358 40 5240030 > Foobar Oy <https://foobar.fi/> > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
