<div dir="ltr"><div>Hello Noel.<br></div> The debian strongswan-standard-plugins package was missing (because of some earlier upgrade issues), i've reinstalled it and this fixed the problem.<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-16 21:59 GMT+01:00 Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello John,<br>
<span class=""><br>
> In the meantime my experiments has shown that the problem was not associated with certificates at all. This message about bad signature was a result of missing some strongswan basic plugins (so it was an unexpected strongswan installation problem!), all the certificates involved in authentication had valid signatures.<br>
<br>
</span>I doubt that. What did you do to fix it?<br>
<span class=""><br>
On 16.02.2017 09:25, John Brown wrote:<br>
> Hi Tobias,<br>
> Sorry for delay, I didn't notice your message.<br>
><br>
> In the meantime my experiments has shown that the problem was not associated with certificates at all. This message about bad signature was a result of missing some strongswan basic plugins (so it was an unexpected strongswan installation problem!), all the certificates involved in authentication had valid signatures.<br>
><br>
> But extracting the certificates from log can be useful in future, I'm going to try your advice. I'was trying "enc 4" before but could not find the payload I was interested in - now if I know that they are in logs for sure, I'm going to pay more attention during searching the logs.<br>
><br>
> Thank you for your help,<br>
> Best regards,<br>
> John<br>
><br>
><br>
</span>> 2017-01-25 11:31 GMT+01:00 Tobias Brunner <<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a> <mailto:<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>><wbr>>:<br>
<span class="">><br>
> Hi John,<br>
><br>
> > We have problems with certificate authentication and see "RSA signature<br>
> > verification failed: Bad signature" during strongswan connection try. We<br>
> > would like to retrieve all remote certificate chain to "manually" check<br>
> > this issue. Is this possible using strongswan (for example by enabling<br>
> > some debugs)?<br>
><br>
> You could increase the log level to get the certificates sent by the<br>
> peer. But I'm not sure if that would help much. When exactly does this<br>
> happen? When verifying a certificate? When verifying the IKE<br>
> authentication? Do you use IKEv2 or IKEv1? Do you have the correct<br>
> root CA certificate installed?<br>
><br>
> Anyway, if you want to extract the certificates from the log you may<br>
> increase the log level for the enc subsystem to 3 [1]. You'll get lots<br>
> of output that way, look for data logged for CERTIFICATE payloads<br>
> (you'll also have to reconstruct the binary data from the hex output in<br>
> the log).<br>
><br>
> Regards,<br>
> Tobias<br>
><br>
</span>> [1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" rel="noreferrer" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>LoggerConfiguration</a> <<a href="https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" rel="noreferrer" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>LoggerConfiguration</a>><br>
><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
<br>
</font></span></blockquote></div><br></div></div></div></div>