[strongSwan] strongswan 4.6.4 and IOS6

Christian Scheele chris at dd-wrt.com
Sun Dec 2 20:53:18 CET 2012


Hi,

with 10.8 i have an issue, that the client says "unable to verify server 
certificate"

My Server certificate has X509v3 Subject Alternative Name: as 
DNS:fqdnofmyserver

I tried even without extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 in 
the certificte.

Regarding the log and tcpdump, i don't think that the ios problem is 
related to the osx 10.8 problem.

-- 
Mit freundlichen Grüssen / Regards

Christian Scheele

NewMedia-NET GmbH - Devision DD-WRT
Firmensitz:  Berliner Ring 101, 64625 Bensheim
Registergericht: Amtsgericht Darmstadt, HRB 25473
Geschäftsführer: Peter Steinhäuser, Christian Scheele
http://www.dd-wrt.com
email: chris at dd-wrt.com
Tel.: +496251-582650 / Fax: +496251-5826565

On 01.12.12 20:36, Kris wrote:
> This issue seems to break OSX 10.8 also, small certs not help, hope
> the patch can be ported to SS 5 soon.
>
> --
> Kris
>
>
> On Tue, Nov 27, 2012 at 8:05 PM, Christian Scheele <chris at dd-wrt.com> wrote:
>> Hi,
>>
>> Gerd v. Egidy <lists at ...> writes:
>>
>>>
>>> Hi Andreas,
>>>
>>>> I did have some time to look at it. You will find a patch implementing
>>>> Ciscos proprietary IKE fragmentation in the patches tarball in the
>>>> chroot-ipsec source rpm. It's based on Strongswan 4.4.1. I managed
>>>> to port (it did not apply cleanly) that patch to the 4.5.2 based
>>>> debian backports version and it at least compiles. Tests are still pending.
>>>
>>> Would you mind to post your patch for 4.5.2?
>>>
>>>> This is however a temporary workaround as this will surely not
>>>> work on 5.x. and therefore most likely never get into the
>>>> official srongswan repos.
>>>
>>> sure. Let's hope someone will make or sponsor a true port to 5 soon.
>>
>> i uploaded the patch on pastebin:
>>
>> http://pastebin.com/mHS68juq
>>
>> We are using 5.0.1 right now, small certs work, but we would like to get this
>> implemented in 5.0.x as well.
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4478 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121202/065e9f46/attachment.bin>


More information about the Users mailing list