dcbw at redhat
Nov 20, 2009, 10:52 AM
Post #4 of 5
On Fri, 2009-11-20 at 08:51 +0100, Martin Dummer wrote:
Re: vpnc 0.5.3_p449 hybrid-auth not working since merge of gnutls code
[In reply to]
> Am Donnerstag 19 November 2009 18:07:42 schrieb Dan Williams:
> > > Since the gentoo vpnc package switched from 0.5.3 to 0.5.3_p449 I cannot establish connections any more. The reason is the switch from openssl to gnutls code ( I have tested gnutls code before and found it not working but was too busy to report the problem).
> > Hmm, it would have helped if you had... we had at least two positive
> > reports that the gnutls code worked with peoples existing setups.
> Yes you're right... but you know.... sometimes you think somenone else will do the job but nobody does.... sorry for that.
> I appreciate switching to gnutls, so we'll try to fix the problem.
> > What architecture (ppc, ia32, x86-64, ppc64, arm, etc) are you running?
> I use x86-64 (or amd64)
> > Could you grab the SVN sources, build vpnc, and run 'make test' for me
> > to isolate whether it's something the testcase catches or not?
> Yes, I did.
> "make test" runs fine:
> ./test-crypto test/cert.pem test/cert0.pem test/cert1.pem test/cert2.pem test/root.pem
> I don't fully understand what "test-crypto" does with the argument but I tried to append the CA cert file I need for my company's vpn connection and then I see
It checks that the code can verify a known good certificate chain.
cert.pem is a root cert, cert0.pem is signed by cert.pem, cert1.pem is
signed by cert0.pem, and cert2.pem is the server certificate signed by
cert1.pem. That ensures that we can verify a given certificate chain.
So if the test runs OK, we know the code isn't completely broken :)
> ./test-crypto test/cert.pem test/cert0.pem test/cert1.pem test/cert2.pem test/root.pem /etc/vpnc/FTS_RootCA_Public.pem
> Error verifying chain: certificate signer not found
> This is the same error message than in the connection attempts.
So that's not going to work because FTS_RootCA_Public.pem doesn't sign
any of the certificates in the testing chain. We'd need to grab the
certificate that the server sends down to you and verify *that*
certificate against FTS_RootCA_Public.pem to figure out whether (a) I've
screwed up the gnutls cert code, or (b) your sysadmin has the stuff
I'll work up a patch to dump out the VPN server certificate so that you
can use it with the test tool.
Basically, "certificate signer not found" means that a certificate
higher up the chain did not sign the certificate of the child you've
given it; it would mean that FTS_RootCA_Public.pem is not the direct
signer of your VPN server's certificate. Or that I've screwed up the
BTW, does FTS_RootCA_Public.pem include multiple certificates?
vpnc-devel mailing list
vpnc-devel [at] unix-ag