On Thu, Mar 18, 2021 at 11:25:22PM +0100, Lorenz Jiha wrote: > Hi, > > I'm using iked since a few years with certificate authentication for my > roadwarrior linux without any trouble. > > I took a 6.8 fresh install and used classically ikectl to generate a new CA > and certificates. > > But when I try to connect to the OBSD iked, authentication is refused for > my client with this message : > ca_validate_cert: /C=FR/ST=France/L=Paris/O=XXX rejecting self-signed > certificate > > if I syspatch the server, the error message become : > > ca_validate_cert: /C=FR/ST=France/L=Paris/O=XXX unsupported or invalid name > syntax
This is manifestly caused by the new name constraints code that is part of the new x509 verifier shipped in 6.8. The syspatch changed back to using the old verifier code, but keeps using the new name constraints code. That's why the error changed - "rejecting self-signed certificate" is a catch-all used in iked. It would be helpful if you could generate a new certificate and share this (off-list if you prefer) so that we can look at precisely what causes the issue. > > If I restart from a 6.7 box, and generate my certificate, everything is OK > but if I upgrade to 6.8, same behavior. > > Has anyone met the same behavior ? > > Thanks
