lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.53.0406151659320.1448@maxipes.logix.cz>
Date: Tue, 15 Jun 2004 17:17:25 +0200 (CEST)
From: Michal Ludvig <michal@...ix.cz>
To: thomas@...roved.org
Cc: bugtraq@...urityfocus.com, vendor-sec@....de
Subject: Re: authentication bug in KAME's racoon


On Mon, 14 Jun 2004, Thomas Walpuski wrote:

>   If OpenSSL fails on verifying the certificate, because it is expired,
>   self-signed, signed by an inappropriate CA, not allowed for that
>   purpose or the certificate chain is too long, racoon does not care
>   about that and declares the verification successful. I dare to say
>   that is brain dead.

Next time you may dare to contact the developers first...

Anyway, the linux port of racoon distributed in the IPsec-tools package
(http://ipsec-tools.sourceforge.net) is fixed. The new version is
IPsec-tools 0.3.3 and can be downloaded here:
http://sourceforge.net/project/showfiles.php?group_id=74601&package_id=74949&release_id=245982

Currently it only allows (but still warns) that CRL for the cert is
unavailable for certificates obtained from the IKE payload. All other
problems are treated as errors and ISAKMP negotiation fails.

For locally available certs (via peers_certfile statement) the rules are
more relaxed and because the certificate can be trustfully verified it is
allowed that it is expired, self-signed or "for other puropse". The
verification still succeeds but emits a warning.

Vendors are encouraged to update their packages.

Regards,

Michal Ludvig
-- 
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ