On 4/20/2010 6:38 AM, Tai-hwa Liang wrote: >> >> I don't believe concatenating the certificate files together will have >> any effect. A lot of work was done between 2.1.4 and 2.1.6 to handle a >> multi-certificate chain to be interpreted correctly when received from >> the peer during phase1 negotiations. And on the windows platform, we >> have a special directory where a user can drop additional certificates >> that are used as intermediates during certificate verification. But on >> Linux/BSD, there is no analog to this. > > Did you try the attached patch I've sent you a few years ago? I believe > it supports chained/concatnated certificate inside a single .pem file. > Even better, it also supports .p12 file that includes user's key pair and > complete CA certificate chain. > > Given that this patch only utilises standard OpenSSL APIs, it should be > portable amongst WIN32 and UN*X Shrew VPN implementations. > >> I think we need to allow a certificate directory to be passed instead of >> a single certificate file. This will allow a client to configure a group >> of certificate files that can be used for chained authentication. >> Unfortunately, I don't have time to do this at the moment. This should >> be completed before 2.2.0 release. Sorry I can't be more help at this >> time. > > IMHO, the problem in directory based certificate storage is that there're > multiple directories which can be confusing to users. I've run into this > in 2.1.0(not sure if it is fixed in recent release) since I put the > chained .pem into 'My Document/Shrew .../certificate' rather than > 'Program Files/Shrew VPN/certificate.' The former path didn't seem to be > in ShrewVPN's default ceritificate search path and thus caused failure > in subsequent server certificate verification process.
Thanks for reminding me of your patch. I'll try to have a closer look at this in the coming week. -Matthew _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
