<div dir="ltr">Here is more information. Kernel version is Linux 3.9.3-x86_64 and strongswan version is 4.6.4<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername"></b> <span dir="ltr"><<a href="mailto:users-request@lists.strongswan.org" target="_blank">users-request@lists.strongswan.org</a>></span><br>
Date: Wed, Jul 17, 2013 at 4:44 PM<br>Subject: Users Digest, Vol 42, Issue 21<br>To: <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br><br><br>Send Users mailing list submissions to<br>
<a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:users-request@lists.strongswan.org" target="_blank">users-request@lists.strongswan.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:users-owner@lists.strongswan.org" target="_blank">users-owner@lists.strongswan.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Strongswan failed to see the revoked certificate (nagaraj)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 17 Jul 2013 16:38:48 -0700<br>
From: nagaraj <<a href="mailto:nagaraj2@gmail.com" target="_blank">nagaraj2@gmail.com</a>><br>
Subject: [strongSwan] Strongswan failed to see the revoked certificate<br>
To: <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
Message-ID:<br>
<CAOFCAh9X=<a href="mailto:Bnb6yM3S2iLWyLB4X7s-P8S2ORfDGm7gnZFewTmXQ@mail.gmail.com" target="_blank">Bnb6yM3S2iLWyLB4X7s-P8S2ORfDGm7gnZFewTmXQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hi All, I have copy pasted ipsec.conf, strongswan.conf and openssl.cnf<br>
below. Does anybody have any clue why strongswan is not seeing the revoked<br>
certificate ? I appreciate any help or suggestions.<br>
<br>
Thanks,<br>
Nagaraj<br>
<br>
[root@TroposDA ~]# cat /usr/local/strongswan4/etc/ipsec.conf<br>
config setup<br>
plutostart=yes<br>
plutostderrlog=/var/log/pluto.log<br>
nat_traversal=yes<br>
uniqueids=yes<br>
crlcheckinterval=600<br>
cachecrls=no<br>
strictcrlpolicy=no<br>
<br>
ca tropos<br>
cacert=/etc/pki/CA/certs/caCert.pem<br>
crluri=/etc/pki/CA/certs/crl.pem<br>
auto=add<br>
<br>
conn ios<br>
keyexchange=ikev1<br>
authby=xauthrsasig<br>
xauth=server<br>
left=%defaultroute<br>
leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
leftcert=serverCert.pem<br>
leftfirewall=yes<br>
right=%any<br>
rightsourceip=<a href="http://10.2.0.0/16" target="_blank">10.2.0.0/16</a><br>
pfs=no<br>
auto=add<br>
===============================================================================================<br>
[root@TroposDA ~]# cat /usr/local/strongswan4/etc/strongswan.conf<br>
# strongswan.conf - strongSwan configuration file<br>
<br>
charon {<br>
<br>
# number of worker threads in charon<br>
threads = 32<br>
<br>
# send strongswan vendor ID?<br>
# send_vendor_id = yes<br>
<br>
plugins {<br>
<br>
sql {<br>
# loglevel to log into sql database<br>
loglevel = -1<br>
<br>
# URI to the database<br>
# database = sqlite:///path/to/file.db<br>
# database = mysql://user:password@localhost<br>
/database<br>
}<br>
}<br>
<br>
# ...<br>
}<br>
<br>
pluto {<br>
dns1 = 10.2.0.253<br>
}<br>
<br>
libstrongswan {<br>
<br>
# set to no, the DH exponent size is optimized<br>
# dh_exponent_ansi_x9_42 = no<br>
}<br>
===============================================================================================<br>
[root@TroposDA ~]# cat /etc/pki/tls/openssl.cnf<br>
#<br>
# OpenSSL example configuration file.<br>
# This is mostly being used for generation of certificate requests.<br>
#<br>
<br>
# This definition stops the following lines choking if HOME isn't<br>
# defined.<br>
HOME = .<br>
RANDFILE = $ENV::HOME/.rnd<br>
<br>
# Extra OBJECT IDENTIFIER info:<br>
#oid_file = $ENV::HOME/.oid<br>
oid_section = new_oids<br>
<br>
# To use this configuration file with the "-extfile" option of the<br>
# "openssl x509" utility, name here the section containing the<br>
# X.509v3 extensions to use:<br>
# extensions =<br>
# (Alternatively, use a configuration file that has only<br>
# X.509v3 extensions in its main [= default] section.)<br>
<br>
[ new_oids ]<br>
<br>
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.<br>
# Add a simple OID like this:<br>
# testoid1=1.2.3.4<br>
# Or use config file substitution like this:<br>
# testoid2=${testoid1}.5.6<br>
<br>
# Policies used by the TSA examples.<br>
tsa_policy1 = 1.2.3.4.1<br>
tsa_policy2 = 1.2.3.4.5.6<br>
tsa_policy3 = 1.2.3.4.5.7<br>
<br>
####################################################################<br>
[ ca ]<br>
default_ca = CA_default # The default ca section<br>
<br>
####################################################################<br>
[ CA_default ]<br>
<br>
dir = /etc/pki/CA # Where everything is kept<br>
certs = $dir/certs # Where the issued certs are kept<br>
crl_dir = $dir/crl # Where the issued crl are kept<br>
database = $dir/index.txt # database index file.<br>
#unique_subject = no # Set to 'no' to allow creation of<br>
# several ctificates with same<br>
subject.<br>
new_certs_dir = $dir/newcerts # default place for new certs.<br>
<br>
certificate = $dir/certs/caCert.pem # The CA certificate<br>
serial = $dir/serial # The current serial number<br>
crlnumber = $dir/crlnumber # the current crl number<br>
# must be commented out to leave a<br>
V1 CRL<br>
crl = $dir/certs/crl.pem # The current CRL<br>
private_key = $dir/private/caKey.pem# The private key<br>
RANDFILE = $dir/private/.rand # private random number file<br>
<br>
x509_extensions = usr_cert # The extentions to add to the cert<br>
<br>
# Comment out the following two lines for the "traditional"<br>
# (and highly broken) format.<br>
name_opt = ca_default # Subject Name options<br>
cert_opt = ca_default # Certificate field options<br>
<br>
# Extension copying option: use with caution.<br>
# copy_extensions = copy<br>
<br>
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs<br>
# so this is commented out by default to leave a V1 CRL.<br>
# crlnumber must also be commented out to leave a V1 CRL.<br>
crl_extensions = crl_ext<br>
<br>
default_days = 365 # how long to certify for<br>
default_crl_days= 30 # how long before next CRL<br>
default_md = default # use public key default MD<br>
preserve = no # keep passed DN ordering<br>
<br>
# A few difference way of specifying how similar the request should look<br>
# For type CA, the listed attributes must be the same, and the optional<br>
# and supplied fields are just that :-)<br>
policy = policy_match<br>
<br>
# For the CA policy<br>
[ policy_match ]<br>
countryName = match<br>
stateOrProvinceName = match<br>
organizationName = match<br>
organizationalUnitName = optional<br>
commonName = supplied<br>
emailAddress = optional<br>
<br>
# For the 'anything' policy<br>
# At this point in time, you must list all acceptable 'object'<br>
# types.<br>
[ policy_anything ]<br>
countryName = optional<br>
stateOrProvinceName = optional<br>
localityName = optional<br>
organizationName = optional<br>
organizationalUnitName = optional<br>
commonName = supplied<br>
emailAddress = optional<br>
<br>
####################################################################<br>
[ req ]<br>
default_bits = 2048<br>
default_md = sha1<br>
default_keyfile = privkey.pem<br>
distinguished_name = req_distinguished_name<br>
attributes = req_attributes<br>
x509_extensions = v3_ca # The extentions to add to the self signed cert<br>
<br>
# Passwords for private keys if not present they will be prompted for<br>
# input_password = secret<br>
# output_password = secret<br>
<br>
# This sets a mask for permitted string types. There are several options.<br>
# default: PrintableString, T61String, BMPString.<br>
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)<br>
# utf8only: only UTF8Strings (PKIX recommendation after 2004).<br>
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).<br>
# MASK:XXXX a literal mask value.<br>
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.<br>
string_mask = utf8only<br>
<br>
# req_extensions = v3_req # The extensions to add to a certificate request<br>
<br>
[ req_distinguished_name ]<br>
countryName = Country Name (2 letter code)<br>
countryName_default = XX<br>
countryName_min = 2<br>
countryName_max = 2<br>
<br>
stateOrProvinceName = State or Province Name (full name)<br>
#stateOrProvinceName_default = Default Province<br>
<br>
localityName = Locality Name (eg, city)<br>
localityName_default = Default City<br>
<br>
0.organizationName = Organization Name (eg, company)<br>
0.organizationName_default = Default Company Ltd<br>
<br>
# we can do this but it is not needed normally :-)<br>
#1.organizationName = Second Organization Name (eg, company)<br>
#1.organizationName_default = World Wide Web Pty Ltd<br>
<br>
organizationalUnitName = Organizational Unit Name (eg, section)<br>
#organizationalUnitName_default =<br>
<br>
commonName = Common Name (eg, your name or your<br>
server\'s hostname)<br>
commonName_max = 64<br>
<br>
emailAddress = Email Address<br>
emailAddress_max = 64<br>
<br>
# SET-ex3 = SET extension number 3<br>
<br>
[ req_attributes ]<br>
challengePassword = A challenge password<br>
challengePassword_min = 4<br>
challengePassword_max = 20<br>
<br>
unstructuredName = An optional company name<br>
<br>
[ usr_cert ]<br>
<br>
# These extensions are added when 'ca' signs a request.<br>
<br>
# This goes against PKIX guidelines but some CAs do it and some software<br>
# requires this to avoid interpreting an end user certificate as a CA.<br>
<br>
basicConstraints=CA:FALSE<br>
<br>
# Here are some examples of the usage of nsCertType. If it is omitted<br>
# the certificate can be used for anything *except* object signing.<br>
<br>
# This is OK for an SSL server.<br>
# nsCertType = server<br>
<br>
# For an object signing certificate this would be used.<br>
# nsCertType = objsign<br>
<br>
# For normal client use this is typical<br>
# nsCertType = client, email<br>
<br>
# and for everything including object signing:<br>
# nsCertType = client, email, objsign<br>
<br>
# This is typical in keyUsage for a client certificate.<br>
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br>
<br>
# This will be displayed in Netscape's comment listbox.<br>
nsComment = "OpenSSL Generated Certificate"<br>
<br>
# PKIX recommendations harmless if included in all certificates.<br>
subjectKeyIdentifier=hash<br>
authorityKeyIdentifier=keyid,issuer<br>
<br>
# This stuff is for subjectAltName and issuerAltname.<br>
# Import the email address.<br>
# subjectAltName=email:copy<br>
# An alternative to produce certificates that aren't<br>
# deprecated according to PKIX.<br>
# subjectAltName=email:move<br>
<br>
# Copy subject details<br>
# issuerAltName=issuer:copy<br>
<br>
#nsCaRevocationUrl = <a href="http://www.domain.dom/ca-crl.pem#nsBaseUrl" target="_blank">http://www.domain.dom/ca-crl.pem<br>
#nsBaseUrl</a><br>
#nsRevocationUrl<br>
#nsRenewalUrl<br>
#nsCaPolicyUrl<br>
#nsSslServerName<br>
<br>
# This is required for TSA certificates.<br>
# extendedKeyUsage = critical,timeStamping<br>
<br>
[ v3_req ]<br>
<br>
# Extensions to add to a certificate request<br>
<br>
basicConstraints = CA:FALSE<br>
keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br>
<br>
[ v3_ca ]<br>
<br>
<br>
# Extensions for a typical CA<br>
<br>
<br>
# PKIX recommendation.<br>
<br>
subjectKeyIdentifier=hash<br>
<br>
authorityKeyIdentifier=keyid:always,issuer<br>
<br>
# This is what PKIX recommends but some broken software chokes on critical<br>
# extensions.<br>
#basicConstraints = critical,CA:true<br>
# So we do this instead.<br>
basicConstraints = CA:true<br>
<br>
# Key usage: this is typical for a CA certificate. However since it will<br>
# prevent it being used as an test self-signed certificate it is best<br>
# left out by default.<br>
# keyUsage = cRLSign, keyCertSign<br>
<br>
# Some might want this also<br>
# nsCertType = sslCA, emailCA<br>
<br>
# Include email address in subject alt name: another PKIX recommendation<br>
# subjectAltName=email:copy<br>
# Copy issuer details<br>
# issuerAltName=issuer:copy<br>
<br>
# DER hex encoding of an extension: beware experts only!<br>
# obj=DER:02:03<br>
# Where 'obj' is a standard or added object<br>
# You can even override a supported extension:<br>
# basicConstraints= critical, DER:30:03:01:01:FF<br>
<br>
[ crl_ext ]<br>
<br>
# CRL extensions.<br>
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.<br>
<br>
# issuerAltName=issuer:copy<br>
authorityKeyIdentifier=keyid:always<br>
<br>
[ proxy_cert_ext ]<br>
# These extensions should be added when creating a proxy certificate<br>
<br>
# This goes against PKIX guidelines but some CAs do it and some software<br>
# requires this to avoid interpreting an end user certificate as a CA.<br>
<br>
basicConstraints=CA:FALSE<br>
<br>
# Here are some examples of the usage of nsCertType. If it is omitted<br>
# the certificate can be used for anything *except* object signing.<br>
<br>
# This is OK for an SSL server.<br>
# nsCertType = server<br>
<br>
# For an object signing certificate this would be used.<br>
# nsCertType = objsign<br>
<br>
# For normal client use this is typical<br>
# nsCertType = client, email<br>
<br>
# and for everything including object signing:<br>
# nsCertType = client, email, objsign<br>
<br>
# This is typical in keyUsage for a client certificate.<br>
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br>
<br>
# This will be displayed in Netscape's comment listbox.<br>
nsComment = "OpenSSL Generated Certificate"<br>
<br>
# PKIX recommendations harmless if included in all certificates.<br>
subjectKeyIdentifier=hash<br>
authorityKeyIdentifier=keyid,issuer<br>
<br>
# This stuff is for subjectAltName and issuerAltname.<br>
# Import the email address.<br>
# subjectAltName=email:copy<br>
# An alternative to produce certificates that aren't<br>
# deprecated according to PKIX.<br>
# subjectAltName=email:move<br>
<br>
# Copy subject details<br>
# issuerAltName=issuer:copy<br>
<br>
#nsCaRevocationUrl = <a href="http://www.domain.dom/ca-crl.pem#nsBaseUrl" target="_blank">http://www.domain.dom/ca-crl.pem<br>
#nsBaseUrl</a><br>
#nsRevocationUrl<br>
#nsRenewalUrl<br>
#nsCaPolicyUrl<br>
#nsSslServerName<br>
<br>
# This really needs to be in place for it to be a proxy certificate.<br>
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo<br>
<br>
####################################################################<br>
[ tsa ]<br>
<br>
default_tsa = tsa_config1 # the default TSA section<br>
<br>
[ tsa_config1 ]<br>
<br>
# These are used by the TSA reply generation only.<br>
dir = ./demoCA # TSA root directory<br>
serial = $dir/tsaserial # The current serial number<br>
(mandatory)<br>
crypto_device = builtin # OpenSSL engine to use for signing<br>
signer_cert = $dir/tsacert.pem # The TSA signing certificate<br>
# (optional)<br>
certs = $dir/cacert.pem # Certificate chain to include in<br>
reply<br>
# (optional)<br>
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)<br>
<br>
default_policy = tsa_policy1 # Policy if request did not specify<br>
it<br>
# (optional)<br>
other_policies = tsa_policy2, tsa_policy3 # acceptable policies<br>
(optional)<br>
digests = md5, sha1 # Acceptable message digests<br>
(mandatory)<br>
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)<br>
clock_precision_digits = 0 # number of digits after dot. (optional)<br>
ordering = yes # Is ordering defined for timestamps?<br>
# (optional, default: no)<br>
tsa_name = yes # Must the TSA name be included in the<br>
reply?<br>
# (optional, default: no)<br>
ess_cert_id_chain = no # Must the ESS cert id chain be included?<br>
# (optional, default: no)<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.strongswan.org/pipermail/users/attachments/20130717/d6af7a4b/attachment.html" target="_blank">http://lists.strongswan.org/pipermail/users/attachments/20130717/d6af7a4b/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
<br>
End of Users Digest, Vol 42, Issue 21<br>
*************************************<br>
</div><br></div>