It's weird, I got it work at a 10.8.2 in VMware Fusion, but it never works at my machine, always complain "unable to verify server certificate".
SS's log said: invalid HASH_V1 payload length, decryption failed? Some discussions: https://discussions.apple.com/thread/4158642?start=0&tstart=0 -- Kris On Mon, Dec 3, 2012 at 3:53 AM, Christian Scheele <[email protected]> wrote: > Hi, > > with 10.8 i have an issue, that the client says "unable to verify server > certificate" > > My Server certificate has X509v3 Subject Alternative Name: as > DNS:fqdnofmyserver > > I tried even without extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 in the > certificte. > > Regarding the log and tcpdump, i don't think that the ios problem is related > to the osx 10.8 problem. > > -- > Mit freundlichen Grüssen / Regards > > Christian Scheele > > NewMedia-NET GmbH - Devision DD-WRT > Firmensitz: Berliner Ring 101, 64625 Bensheim > Registergericht: Amtsgericht Darmstadt, HRB 25473 > Geschäftsführer: Peter Steinhäuser, Christian Scheele > http://www.dd-wrt.com > email: [email protected] > Tel.: +496251-582650 / Fax: +496251-5826565 > > > On 01.12.12 20:36, Kris wrote: >> >> This issue seems to break OSX 10.8 also, small certs not help, hope >> the patch can be ported to SS 5 soon. >> >> -- >> Kris >> >> >> On Tue, Nov 27, 2012 at 8:05 PM, Christian Scheele <[email protected]> >> wrote: >>> >>> Hi, >>> >>> Gerd v. Egidy <lists@...> writes: >>> >>>> >>>> Hi Andreas, >>>> >>>>> I did have some time to look at it. You will find a patch implementing >>>>> Ciscos proprietary IKE fragmentation in the patches tarball in the >>>>> chroot-ipsec source rpm. It's based on Strongswan 4.4.1. I managed >>>>> to port (it did not apply cleanly) that patch to the 4.5.2 based >>>>> debian backports version and it at least compiles. Tests are still >>>>> pending. >>>> >>>> >>>> Would you mind to post your patch for 4.5.2? >>>> >>>>> This is however a temporary workaround as this will surely not >>>>> work on 5.x. and therefore most likely never get into the >>>>> official srongswan repos. >>>> >>>> >>>> sure. Let's hope someone will make or sponsor a true port to 5 soon. >>> >>> >>> i uploaded the patch on pastebin: >>> >>> http://pastebin.com/mHS68juq >>> >>> We are using 5.0.1 right now, small certs work, but we would like to get >>> this >>> implemented in 5.0.x as well. >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users >> >> > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
