[strongSwan-dev] Pluto Fails to Parse Cert

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 5 20:32:25 CEST 2010

Hi Bill,

in that case send me your certificate and I'm going to have a look
at it.


On 05.07.2010 20:20, William Bloom wrote:
> Thanks, Stefan.  I have the following in strongswan.conf in order to
> include the gmp plugin...
>   pluto {
>      load = aes des shaq sha2 md5 hmac pem x509 gmp random pubkey
>   }
> ...and 'ipsec statusall' also reports that gmp is loaded. I actually had this
> in place before I discovered the public key parsing issue.  What else might I
> have wrong?
> Bill
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Fri 7/2/2010 11:52 PM
> To: William Bloom
> Cc: dev at lists.strongswan.org
> Subject: Re: [strongSwan-dev] Pluto Fails to Parse Cert
> Hello Bill,
> pluto chokes when trying to parse the public key contained in the
> certificate. I think than no big-number library is available.
> Either the gmp or openssl plugin must be loaded. The command
>   ipsec statusall
> should show one of them. By default the gmp is built which in
> turn requires the GNU Multiprecision library.
> Regards
> Andreas
> On 07/03/2010 04:56 AM, William Bloom wrote:
>> I have a 4.4.0 installation of strongSwan on one RHEL51 box, on which I've configured a CA using 'ipsec pki ...' as described on the strongswan online docs, as well as on a RHEL46 box which attempts to establish a VPN to a Cisco ASA.  I generated RSA 2048 keys for the CA and the client, self-signed a new CA cert which I then used to issue a cert for the client.  All straightforward.  I installed the CA cert and client cert/key on the client, leaving everything in DER format.  Pluto opens these files and progresses nominally, at first, with the parse and then appears to choke at the point of 'subjectPublicKeyInfo'.  With 'plutodebug=all', the following appears in /var/log/secure...
>>     L2 - subjectPublicKeyInfo:
>>     -- > --
>>     -- < --
>>   002   error in X.509 certificate
>> Yet 'openssl x509 -in cacert.der -inform DER -text -noout' parses the cert successfully and reports the subject public key properly.  Might there be a DER problem, should I try PEM (it seems unlikely, I know)?
>> Bill

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100705/5ad59eaf/attachment.bin>

More information about the Dev mailing list