chemical

Forum Replies Created

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • in reply to: Certificate passwords #45030
    chemical
    Member

    I modified /etc/ssl/openssl.cnf and set input_password and output_password to something and tried to regen the certificates; still does not work.

    Then I found a page on the web about certificates being used by the OS X client: http://www.jacco2.dds.nl/networking/openswan-macosx.html#Certs

    Seems that OS X will not accept a server certificate in distinguished name format (which they appear to be generated as) without adding user_cert option subjectAltName=DNS:

    Of course it’s not possible to do this as the changes made to openssl.cnf are wiped out after a reboot.

    If I understand correctly (and I probably don’t), this makes zeroshell config incompatible with OS X clients as far as x.509 VPN access goes?

    in reply to: Certificate passwords #45029
    chemical
    Member

    I tried a blank password and the OS X Keychain Access app still gives the CSP_INVALID_DATA error (meaning the user entered the wrong certificate password).

    Those same certs work on XP if I just hit enter at the password prompt, though, so it’s definitely OS X being picky about it.

    If I generate the certs with OpenSSL at the command line with passwords and move them into the zeroshell ssl/certs dir, will that work, or must they be generated within the GUI?

    Thanks for your help,
    Dustin

Viewing 2 posts - 1 through 2 (of 2 total)