On Sun, Dec 12, 2021 at 10:01:20PM +0100, Harald Dunkel wrote: > Hi folks, > > since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters > (2 hosts on each end, carp interface, passive by default, managed via > sasyncd) appears to be broken. /var/log/messages says > > Dec 12 21:40:28 gate5a iked[57676]: spi=0x5a7c2732b4b355e6: > ikev2_dispatch_cert: peer certificate is invalid > > certificates have been generated using ikectl ca. > > How comes? I haven't changed the ca or the ike configuration since > 6.8. > > Unfortunately rolling back the syspatch or issuing new certificates > did not help. I am stuck and desperate. > > > Every helpful comment is highly appreciated. > > Harri
Hi Harald, i haven't heard of any problems with the syspatch you mention and I didn't manage to reproduce your problem on my 7.0 machine. From your description I'm assuming all four machines are running syspatched 7.0. Some ideas: - to verify that this is a libcrypto problem, try 'openssl verify -CAfile /path/to/ca /path/to/cert' and see if still fails. - You are saying newly generated certs don't work. Did you modify '/etc/ssl/ikeca.cnf'? If yes, see if it works with the original config. - This is just a guess, but there were a several changes in recent libcrypto versions that made the certificate parsing stricter. Does your cert maybe have multiple extensions of the same type (e.g. multiple subjectAltNames)? This is all I can say without seeing the actual certificates and/or iked log. - Tobias
