[strongSwan-dev] Pluto Fails to Parse Cert
william.bloom at kinetx.com
Mon Jul 5 20:53:50 CEST 2010
Ah, I indeed had included gmp but I had omitted pkcs1. Adding the pkcs1 plugin
permits public key parsing to now succeed.
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Fri 7/2/2010 11:52 PM
To: William Bloom
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] Pluto Fails to Parse Cert
pluto chokes when trying to parse the public key contained in the
certificate. I think than no big-number library is available.
Either the gmp or openssl plugin must be loaded. The command
should show one of them. By default the gmp is built which in
turn requires the GNU Multiprecision library.
On 07/03/2010 04:56 AM, William Bloom wrote:
> I have a 4.4.0 installation of strongSwan on one RHEL51 box, on which I've configured a CA using 'ipsec pki ...' as described on the strongswan online docs, as well as on a RHEL46 box which attempts to establish a VPN to a Cisco ASA. I generated RSA 2048 keys for the CA and the client, self-signed a new CA cert which I then used to issue a cert for the client. All straightforward. I installed the CA cert and client cert/key on the client, leaving everything in DER format. Pluto opens these files and progresses nominally, at first, with the parse and then appears to choke at the point of 'subjectPublicKeyInfo'. With 'plutodebug=all', the following appears in /var/log/secure...
> L2 - subjectPublicKeyInfo:
> -- > --
> -- < --
> 002 error in X.509 certificate
> Yet 'openssl x509 -in cacert.der -inform DER -text -noout' parses the cert successfully and reports the subject public key properly. Might there be a DER problem, should I try PEM (it seems unlikely, I know)?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Dev