[strongSwan] strongswan 4.6.4 and IOS6
Kris
KRI2183876 at maricopa.edu
Mon Dec 3 06:17:57 CET 2012
It's weird, I got it work at a 10.8.2 in VMware Fusion, but it never
works at my machine, always complain "unable to verify server
certificate".
SS's log said:
invalid HASH_V1 payload length, decryption failed?
Some discussions: https://discussions.apple.com/thread/4158642?start=0&tstart=0
--
Kris
On Mon, Dec 3, 2012 at 3:53 AM, Christian Scheele <chris at dd-wrt.com> wrote:
> Hi,
>
> with 10.8 i have an issue, that the client says "unable to verify server
> certificate"
>
> My Server certificate has X509v3 Subject Alternative Name: as
> DNS:fqdnofmyserver
>
> I tried even without extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 in the
> certificte.
>
> Regarding the log and tcpdump, i don't think that the ios problem is related
> to the osx 10.8 problem.
>
> --
> Mit freundlichen Grüssen / Regards
>
> Christian Scheele
>
> NewMedia-NET GmbH - Devision DD-WRT
> Firmensitz: Berliner Ring 101, 64625 Bensheim
> Registergericht: Amtsgericht Darmstadt, HRB 25473
> Geschäftsführer: Peter Steinhäuser, Christian Scheele
> http://www.dd-wrt.com
> email: chris at dd-wrt.com
> Tel.: +496251-582650 / Fax: +496251-5826565
>
>
> On 01.12.12 20:36, Kris wrote:
>>
>> This issue seems to break OSX 10.8 also, small certs not help, hope
>> the patch can be ported to SS 5 soon.
>>
>> --
>> Kris
>>
>>
>> On Tue, Nov 27, 2012 at 8:05 PM, Christian Scheele <chris at dd-wrt.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> Gerd v. Egidy <lists at ...> writes:
>>>
>>>>
>>>> Hi Andreas,
>>>>
>>>>> I did have some time to look at it. You will find a patch implementing
>>>>> Ciscos proprietary IKE fragmentation in the patches tarball in the
>>>>> chroot-ipsec source rpm. It's based on Strongswan 4.4.1. I managed
>>>>> to port (it did not apply cleanly) that patch to the 4.5.2 based
>>>>> debian backports version and it at least compiles. Tests are still
>>>>> pending.
>>>>
>>>>
>>>> Would you mind to post your patch for 4.5.2?
>>>>
>>>>> This is however a temporary workaround as this will surely not
>>>>> work on 5.x. and therefore most likely never get into the
>>>>> official srongswan repos.
>>>>
>>>>
>>>> sure. Let's hope someone will make or sponsor a true port to 5 soon.
>>>
>>>
>>> i uploaded the patch on pastebin:
>>>
>>> http://pastebin.com/mHS68juq
>>>
>>> We are using 5.0.1 right now, small certs work, but we would like to get
>>> this
>>> implemented in 5.0.x as well.
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>
More information about the Users
mailing list