<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 7/5/2017 09:25, Tobias Brunner wrote:<br>
<blockquote type="cite"
cite="mid:5f91a976-29a9-d400-6d19-d768a3d67e45@strongswan.org">
<pre wrap="">Hi Karl,
</pre>
<blockquote type="cite">
<pre wrap="">BTW is the OCSP check failure due to lack of "curl" support in the
Android client?
</pre>
</blockquote>
<pre wrap="">
No, it's because the revocation plugin can't build an OCSP request (only
the x509 plugin can do so but on Android we use the openssl plugin to
parse certificates so that plugin isnt' enabled). I guess we could just
disable OCSP verification in the revocation plugin until that's supported.
</pre>
</blockquote>
The inability to use OCSP is actually sort of a problem for those of
us who are actively using OCSP for its intended purpose in that a
revoked cert will still be accepted.... :-) I will have to be more
diligent with CRL generation (I've slacked on that here since I got
an OCSP responder working well)<br>
<blockquote type="cite"
cite="mid:5f91a976-29a9-d400-6d19-d768a3d67e45@strongswan.org">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">In any event the failure there appears to be wrong as the "CN" has to be
set differently to the RSA's CN or the cert won't certify by the CA (due
to being a duplicate); the SAN DNS field IS correct (genesis.denninger.net)
X509v3 Subject Alternative Name:
<a class="moz-txt-link-abbreviated" href="mailto:email:postmaster@denninger.net">email:postmaster@denninger.net</a>, DNS:genesis.denninger.net
X509v3 Extended Key Usage:
TLS Web Server Authentication
</pre>
</blockquote>
<pre wrap="">
Have you set a server identity in the VPN profile? Could you send me
the cert so I can have a look at it?
</pre>
<blockquote type="cite">
<pre wrap="">I will try it with the RSA certificate:
Uh, nope. Same problem with the same log entry from the client.
</pre>
</blockquote>
<pre wrap="">
Did that work before? Does it work if you select the CA certificate
instead of the server certificate in the profile?
Regards,
Tobias
</pre>
</blockquote>
Yes. If the frag-eating monster does not get me BOTH certificates
work (when sent from the server with the switch turned on.) I
recently regenerated the RSA one in an attempt to kill the frag
issue (it was a 4k RSA cert, is now a 2k RSA cert)<br>
<br>
I'll email you privately with the two certificate files as
attachments.<br>
<br>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>