[strongSwan] Intermediate CAs - ordering important?
Holger Metschulat
holger.metschulat at arcor.de
Tue Jun 15 18:35:10 CEST 2010
Hi all,
I am trying to configure a certificate based VPN between a Juniper SRX
and StrongSwan 4.3.6.
There are two CAs, CN=root-ca and CN=sub-ca. As the names indicate,
root-ca is self-signed and sub-ca is a CA signed by root-ca.
The SRX's certificate is certified by sub-ca, StrongSwan's certificate
is signed by root-ca.
SRX has installed the root-ca and sub-ca certificates; StrongSwan only
has root-ca's certificate configured as the CA cert.
This means that the SRX has to send not only its own certificate, but
also sub-ca's certificate as the intermediate CA.
This all works fine, however, I am ending up with "no public key known"
on the StrongSwan side for the SRX public key.
I have observed that the order of the certificates received by
StrongSwan is SRX cert, sub-ca cert and then root-ca cert. After
reception of the SRX cert, it seems that StrongSwan drops that cert
because it can't verify the issuer and then never recovers when it
afterwards receives the intermediate CA:
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
Can anyone confirm? Thanks!
Here are the detailed logs:
Jun 15 13:20:19 debian pluto[27490]: | ICOOKIE: e8 0a 9f ce 96 52 a3 d6
Jun 15 13:20:19 debian pluto[27490]: | RCOOKIE: fb e9 79 82 92 62 7f 46
Jun 15 13:20:19 debian pluto[27490]: | peer: 0a 00 51 52
Jun 15 13:20:19 debian pluto[27490]: | state hash entry 15
Jun 15 13:20:19 debian pluto[27490]: | state object #5 found, in
STATE_MAIN_I3
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Identification
Payload:
Jun 15 13:20:19 debian pluto[27490]: | next payload type:
ISAKMP_NEXT_CERT
Jun 15 13:20:19 debian pluto[27490]: | length: 12
Jun 15 13:20:19 debian pluto[27490]: | ID type: ID_IPV4_ADDR
Jun 15 13:20:19 debian pluto[27490]: | DOI specific A: 17
Jun 15 13:20:19 debian pluto[27490]: | DOI specific B: 0
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
Jun 15 13:20:19 debian pluto[27490]: | next payload type:
ISAKMP_NEXT_CERT
Jun 15 13:20:19 debian pluto[27490]: | length: 784
Jun 15 13:20:19 debian pluto[27490]: | cert encoding: CERT_X509_SIGNATURE
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
Jun 15 13:20:19 debian pluto[27490]: | next payload type:
ISAKMP_NEXT_CERT
Jun 15 13:20:19 debian pluto[27490]: | length: 700
Jun 15 13:20:19 debian pluto[27490]: | cert encoding: CERT_X509_SIGNATURE
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
Jun 15 13:20:19 debian pluto[27490]: | next payload type: ISAKMP_NEXT_SIG
Jun 15 13:20:19 debian pluto[27490]: | length: 762
Jun 15 13:20:19 debian pluto[27490]: | cert encoding: CERT_X509_SIGNATURE
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Signature Payload:
Jun 15 13:20:19 debian pluto[27490]: | next payload type:
ISAKMP_NEXT_NONE
Jun 15 13:20:19 debian pluto[27490]: | length: 260
Jun 15 13:20:19 debian pluto[27490]: | removing 10 bytes of padding
Jun 15 13:20:19 debian pluto[27490]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: Peer ID is ID_IPV4_ADDR:
'10.0.81.82'
Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
Jun 15 13:20:19 debian pluto[27490]: | X.509v3
Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, L=Munich,
O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 13:10:56 UTC 2010'
Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 13:10:56 UTC 2011'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
Jun 15 13:20:19 debian pluto[27490]: | 'CN=srx5600'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'nsComment'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
Jun 15 13:20:19 debian pluto[27490]: | 'OpenSSL Generated Certificate'
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'subjectAltName'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - generalNames:
Jun 15 13:20:19 debian pluto[27490]: | L7 - generalName:
Jun 15 13:20:19 debian pluto[27490]: | L8 - ipAddress:
Jun 15 13:20:19 debian pluto[27490]: | '10.0.81.82'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
Jun 15 13:20:19 debian pluto[27490]: | subject: 'CN=srx5600'
Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
L=Munich, O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
99:c8:85:a1:a1:4f:60:9a:1c:3a:6d:9e:f0:0f:3d:aa:d9:53:ef:71
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
Jun 15 13:20:19 debian pluto[27490]: | X.509v3
Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org,
OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 11:30:22 UTC 2010'
Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 11:30:22 UTC 2011'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, L=Munich,
O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'nsComment'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
Jun 15 13:20:19 debian pluto[27490]: | 'OpenSSL Generated Certificate'
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
L=Munich, O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | signature verification:
Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1'
Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
a path length of 0
Jun 15 13:20:19 debian pluto[27490]: | Public key validated
Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
Jun 15 13:20:19 debian pluto[27490]: | X.509v3
Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org,
OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: | 'Jun 14 19:42:33 UTC 2010'
Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: | 'Jun 13 19:42:33 UTC 2013'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org,
OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertIssuer:
Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertSerialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | TRUE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
Jun 15 13:20:19 debian pluto[27490]: | TRUE
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: | 'keyUsage'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: | FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
Jun 15 13:20:19 debian pluto[27490]: | signature verification:
Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1'
Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | signature verification:
Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | 'sha-1'
Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
a path length of 0
Jun 15 13:20:19 debian pluto[27490]: | Public key validated
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: no public key known for
'10.0.81.82'
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: sending encrypted
notification INVALID_KEY_INFORMATION to 10.0.81.82:500
--
Gruss * Holger Metschulat
Holger * e-mail: homer at stellwerke.de, http://home.arcor.de/estw
"Internet-Nutzung ist ein Privileg und kein Recht."
(Rechnerraum-Ordnung an der Uni von 1994)
More information about the Users
mailing list