[strongSwan] Intermediate CAs - ordering important?

Andreas Steffen andreas.steffen at strongswan.org
Tue Jun 15 20:18:46 CEST 2010


Hi Holger,

as far as I remember pluto supports the import of intermediate CA
certificates received via IKEv1 only if the are embedded together
with the end entity certificate in a PKCS#7 envelope. This is what
Microsoft Windows clients are typically doing. Since over the last
10 years no one requested the inclusion of intermediate CA certs in
separate X.509 payloads I did not implement it.

We plan to port the X.509 trust chain verification of the IKEv2
charon daemon back to pluto thus the inclusion of separate CA certs
might become feasible in the not too distant future.

Regards

Andreas

On 06/15/2010 06:35 PM, Holger Metschulat wrote:
> Hi all,
> 
> I am trying to configure a certificate based VPN between a Juniper SRX
> and StrongSwan 4.3.6.
> 
> There are two CAs, CN=root-ca and CN=sub-ca. As the names indicate,
> root-ca is self-signed and sub-ca is a CA signed by root-ca.
> 
> The SRX's certificate is certified by sub-ca, StrongSwan's certificate
> is signed by root-ca.
> 
> SRX has installed the root-ca and sub-ca certificates; StrongSwan only
> has root-ca's certificate configured as the CA cert.
> 
> This means that the SRX has to send not only its own certificate, but
> also sub-ca's certificate as the intermediate CA.
> 
> This all works fine, however, I am ending up with "no public key known"
> on the StrongSwan side for the SRX public key.
> 
> I have observed that the order of the certificates received by
> StrongSwan is SRX cert, sub-ca cert and then root-ca cert. After
> reception of the SRX cert, it seems that StrongSwan drops that cert
> because it can't verify the issuer and then never recovers when it
> afterwards receives the intermediate CA:
> 
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
> 
> Can anyone confirm? Thanks!
> 
> Here are the detailed logs:
> 
> Jun 15 13:20:19 debian pluto[27490]: | ICOOKIE:  e8 0a 9f ce  96 52 a3 d6
> Jun 15 13:20:19 debian pluto[27490]: | RCOOKIE:  fb e9 79 82  92 62 7f 46
> Jun 15 13:20:19 debian pluto[27490]: | peer:  0a 00 51 52
> Jun 15 13:20:19 debian pluto[27490]: | state hash entry 15
> Jun 15 13:20:19 debian pluto[27490]: | state object #5 found, in
> STATE_MAIN_I3
> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Identification
> Payload:
> Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
> ISAKMP_NEXT_CERT
> Jun 15 13:20:19 debian pluto[27490]: |    length: 12
> Jun 15 13:20:19 debian pluto[27490]: |    ID type: ID_IPV4_ADDR
> Jun 15 13:20:19 debian pluto[27490]: |    DOI specific A: 17
> Jun 15 13:20:19 debian pluto[27490]: |    DOI specific B: 0
> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
> Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
> ISAKMP_NEXT_CERT
> Jun 15 13:20:19 debian pluto[27490]: |    length: 784
> Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
> Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
> ISAKMP_NEXT_CERT
> Jun 15 13:20:19 debian pluto[27490]: |    length: 700
> Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
> Jun 15 13:20:19 debian pluto[27490]: |    next payload type: ISAKMP_NEXT_SIG
> Jun 15 13:20:19 debian pluto[27490]: |    length: 762
> Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Signature Payload:
> Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
> ISAKMP_NEXT_NONE
> Jun 15 13:20:19 debian pluto[27490]: |    length: 260
> Jun 15 13:20:19 debian pluto[27490]: | removing 10 bytes of padding
> Jun 15 13:20:19 debian pluto[27490]: | protocol/port in Phase 1 ID
> Payload is 17/0. accepted with port_floating NAT-T
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: Peer ID is ID_IPV4_ADDR:
> '10.0.81.82'
> Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
> Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
> Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
> Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, L=Munich,
> O=Org, OU=org-unit, CN=sub-ca'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
> Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 13:10:56 UTC 2010'
> Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
> Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 13:10:56 UTC 2011'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
> Jun 15 13:20:19 debian pluto[27490]: |   'CN=srx5600'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
> Jun 15 13:20:19 debian pluto[27490]: | -- > --
> Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
> Jun 15 13:20:19 debian pluto[27490]: | -- > --
> Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
> Jun 15 13:20:19 debian pluto[27490]: | -- < --
> Jun 15 13:20:19 debian pluto[27490]: | -- < --
> Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'nsComment'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
> Jun 15 13:20:19 debian pluto[27490]: |   'OpenSSL Generated Certificate'
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'subjectAltName'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - generalNames:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - generalName:
> Jun 15 13:20:19 debian pluto[27490]: | L8 - ipAddress:
> Jun 15 13:20:19 debian pluto[27490]: |   '10.0.81.82'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
> Jun 15 13:20:19 debian pluto[27490]: | subject: 'CN=srx5600'
> Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
> L=Munich, O=Org, OU=org-unit, CN=sub-ca'
> Jun 15 13:20:19 debian pluto[27490]: | authkey:
> 99:c8:85:a1:a1:4f:60:9a:1c:3a:6d:9e:f0:0f:3d:aa:d9:53:ef:71
> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
> Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
> Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
> Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
> Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
> OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
> Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 11:30:22 UTC 2010'
> Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
> Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 11:30:22 UTC 2011'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
> Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, L=Munich,
> O=Org, OU=org-unit, CN=sub-ca'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
> Jun 15 13:20:19 debian pluto[27490]: | -- > --
> Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
> Jun 15 13:20:19 debian pluto[27490]: | -- > --
> Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
> Jun 15 13:20:19 debian pluto[27490]: | -- < --
> Jun 15 13:20:19 debian pluto[27490]: | -- < --
> Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'nsComment'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
> Jun 15 13:20:19 debian pluto[27490]: |   'OpenSSL Generated Certificate'
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
> L=Munich, O=Org, OU=org-unit, CN=sub-ca'
> Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
> O=Org, OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | authkey:
> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
> Jun 15 13:20:19 debian pluto[27490]: | signature verification:
> Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
> O=Org, OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
> O=Org, OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | authkey:
> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
> Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
> a path length of 0
> Jun 15 13:20:19 debian pluto[27490]: | Public key validated
> Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
> Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
> Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
> Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
> OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
> Jun 15 13:20:19 debian pluto[27490]: |   'Jun 14 19:42:33 UTC 2010'
> Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
> Jun 15 13:20:19 debian pluto[27490]: |   'Jun 13 19:42:33 UTC 2013'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
> Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
> OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
> Jun 15 13:20:19 debian pluto[27490]: | -- > --
> Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
> Jun 15 13:20:19 debian pluto[27490]: | -- > --
> Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
> Jun 15 13:20:19 debian pluto[27490]: | -- < --
> Jun 15 13:20:19 debian pluto[27490]: | -- < --
> Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertIssuer:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertSerialNumber:
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   TRUE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
> Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
> Jun 15 13:20:19 debian pluto[27490]: |   TRUE
> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
> Jun 15 13:20:19 debian pluto[27490]: |   'keyUsage'
> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
> Jun 15 13:20:19 debian pluto[27490]: |   FALSE
> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
> Jun 15 13:20:19 debian pluto[27490]: | signature verification:
> Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
> O=Org, OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
> O=Org, OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | authkey:
> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
> Jun 15 13:20:19 debian pluto[27490]: | signature verification:
> Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
> Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
> Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
> Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
> O=Org, OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
> O=Org, OU=org-unit, CN=root-ca'
> Jun 15 13:20:19 debian pluto[27490]: | authkey:
> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
> Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
> a path length of 0
> Jun 15 13:20:19 debian pluto[27490]: | Public key validated
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: no public key known for
> '10.0.81.82'
> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: sending encrypted
> notification INVALID_KEY_INFORMATION to 10.0.81.82:500


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100615/2960dda9/attachment.bin>


More information about the Users mailing list