Hello Tai-hwa, On Fri., Apr 16, 2010, Tai-hwa Liang wrote: > On Wed, 31 Mar 2010, Michael wrote: >> ii : unable to get local issuer certificate(20) at depth:0 >> ii : subject :/CN=name.host.tld >> !! : unable to verify remote peer certificate >> >> The host 'name.host.tld' is in the SubjectAltName of the X.509 >> certificate loaded on the ike v1 server m0n0wall 1.31. I have >> concatanated the root and intermediate CA certificates of >> CaCert.org to the file 'cacert-combi.pem': >> >> s:ident-server-type:asn1dn >> s:auth-server-cert:/home/username/.ike/certs/cacert-combi.pem >> s:auth-client-cert:/home/username/.ike/certs/myclienthost-cacert-rsa-4096-crt.pem >> s:auth-client-key:/home/username/.ike/keys/myclienthost-cacert-rsa-4096-key.pem >> >> What can be the problem? >> > The default verification facility in UN*X version of Shrew VPN > doesn't support multiple levels of CAs. I've submitted a patch > a few years ago which should be able to workaround this problem. > That's great, so I suppose you had the same problem yourself? After testing your patch I'll let you know if it solves the problem I described.
> Since the attached patch was for 2.1.0 release, you're likely > to have to resolve possible conflict after applying it to recent > release. > No problem I'll carefully integrate the patch into the most recent release. That's too bad that the Shrew developers don't want to support CA cert chaining. Very strange. Regards, Michael _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
