[strongSwan] Intermediate CAs - ordering important?

Holger Metschulat holger.metschulat at arcor.de
Tue Jun 15 21:39:20 CEST 2010


Hi Andreas,

thanks for pointing this out, there is indeed a StrongSwan test case for
this
(http://www.strongswan.org/uml/testresults43/ikev1/multi-level-ca-ldap/moon.auth.log)
but there it is done by multiple messages being exchanged after an IKE
Key failure and then the Intermediate CAs being sent one after the other.

So I am a bit worried what's correct...

Holger


Am 2010-06-15 20:18, schrieb Andreas Steffen:
> Hi Holger,
> 
> as far as I remember pluto supports the import of intermediate CA
> certificates received via IKEv1 only if the are embedded together
> with the end entity certificate in a PKCS#7 envelope. This is what
> Microsoft Windows clients are typically doing. Since over the last
> 10 years no one requested the inclusion of intermediate CA certs in
> separate X.509 payloads I did not implement it.
> 
> We plan to port the X.509 trust chain verification of the IKEv2
> charon daemon back to pluto thus the inclusion of separate CA certs
> might become feasible in the not too distant future.
> 
> Regards
> 
> Andreas
> 
> On 06/15/2010 06:35 PM, Holger Metschulat wrote:
>> > Hi all,
>> > 
>> > I am trying to configure a certificate based VPN between a Juniper SRX
>> > and StrongSwan 4.3.6.
>> > 
>> > There are two CAs, CN=root-ca and CN=sub-ca. As the names indicate,
>> > root-ca is self-signed and sub-ca is a CA signed by root-ca.
>> > 
>> > The SRX's certificate is certified by sub-ca, StrongSwan's certificate
>> > is signed by root-ca.
>> > 
>> > SRX has installed the root-ca and sub-ca certificates; StrongSwan only
>> > has root-ca's certificate configured as the CA cert.
>> > 
>> > This means that the SRX has to send not only its own certificate, but
>> > also sub-ca's certificate as the intermediate CA.
>> > 
>> > This all works fine, however, I am ending up with "no public key known"
>> > on the StrongSwan side for the SRX public key.
>> > 
>> > I have observed that the order of the certificates received by
>> > StrongSwan is SRX cert, sub-ca cert and then root-ca cert. After
>> > reception of the SRX cert, it seems that StrongSwan drops that cert
>> > because it can't verify the issuer and then never recovers when it
>> > afterwards receives the intermediate CA:
>> > 
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
>> > 
>> > Can anyone confirm? Thanks!
>> > 
>> > Here are the detailed logs:
>> > 
>> > Jun 15 13:20:19 debian pluto[27490]: | ICOOKIE:  e8 0a 9f ce  96 52 a3 d6
>> > Jun 15 13:20:19 debian pluto[27490]: | RCOOKIE:  fb e9 79 82  92 62 7f 46
>> > Jun 15 13:20:19 debian pluto[27490]: | peer:  0a 00 51 52
>> > Jun 15 13:20:19 debian pluto[27490]: | state hash entry 15
>> > Jun 15 13:20:19 debian pluto[27490]: | state object #5 found, in
>> > STATE_MAIN_I3
>> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Identification
>> > Payload:
>> > Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
>> > ISAKMP_NEXT_CERT
>> > Jun 15 13:20:19 debian pluto[27490]: |    length: 12
>> > Jun 15 13:20:19 debian pluto[27490]: |    ID type: ID_IPV4_ADDR
>> > Jun 15 13:20:19 debian pluto[27490]: |    DOI specific A: 17
>> > Jun 15 13:20:19 debian pluto[27490]: |    DOI specific B: 0
>> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
>> > Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
>> > ISAKMP_NEXT_CERT
>> > Jun 15 13:20:19 debian pluto[27490]: |    length: 784
>> > Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
>> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
>> > Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
>> > ISAKMP_NEXT_CERT
>> > Jun 15 13:20:19 debian pluto[27490]: |    length: 700
>> > Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
>> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
>> > Jun 15 13:20:19 debian pluto[27490]: |    next payload type: ISAKMP_NEXT_SIG
>> > Jun 15 13:20:19 debian pluto[27490]: |    length: 762
>> > Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
>> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Signature Payload:
>> > Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
>> > ISAKMP_NEXT_NONE
>> > Jun 15 13:20:19 debian pluto[27490]: |    length: 260
>> > Jun 15 13:20:19 debian pluto[27490]: | removing 10 bytes of padding
>> > Jun 15 13:20:19 debian pluto[27490]: | protocol/port in Phase 1 ID
>> > Payload is 17/0. accepted with port_floating NAT-T
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: Peer ID is ID_IPV4_ADDR:
>> > '10.0.81.82'
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
>> > Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, L=Munich,
>> > O=Org, OU=org-unit, CN=sub-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 13:10:56 UTC 2010'
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 13:10:56 UTC 2011'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'CN=srx5600'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- > --
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- > --
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- < --
>> > Jun 15 13:20:19 debian pluto[27490]: | -- < --
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'nsComment'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'OpenSSL Generated Certificate'
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'subjectAltName'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - generalNames:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - generalName:
>> > Jun 15 13:20:19 debian pluto[27490]: | L8 - ipAddress:
>> > Jun 15 13:20:19 debian pluto[27490]: |   '10.0.81.82'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'CN=srx5600'
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
>> > L=Munich, O=Org, OU=org-unit, CN=sub-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | authkey:
>> > 99:c8:85:a1:a1:4f:60:9a:1c:3a:6d:9e:f0:0f:3d:aa:d9:53:ef:71
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
>> > Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
>> > OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 11:30:22 UTC 2010'
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 11:30:22 UTC 2011'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, L=Munich,
>> > O=Org, OU=org-unit, CN=sub-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- > --
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- > --
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- < --
>> > Jun 15 13:20:19 debian pluto[27490]: | -- < --
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'nsComment'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'OpenSSL Generated Certificate'
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>> > L=Munich, O=Org, OU=org-unit, CN=sub-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
>> > O=Org, OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | authkey:
>> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>> > Jun 15 13:20:19 debian pluto[27490]: | signature verification:
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
>> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>> > O=Org, OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
>> > O=Org, OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | authkey:
>> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>> > Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
>> > a path length of 0
>> > Jun 15 13:20:19 debian pluto[27490]: | Public key validated
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
>> > Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
>> > OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'Jun 14 19:42:33 UTC 2010'
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'Jun 13 19:42:33 UTC 2013'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
>> > OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- > --
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- > --
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
>> > Jun 15 13:20:19 debian pluto[27490]: | -- < --
>> > Jun 15 13:20:19 debian pluto[27490]: | -- < --
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertIssuer:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertSerialNumber:
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   TRUE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
>> > Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
>> > Jun 15 13:20:19 debian pluto[27490]: |   TRUE
>> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'keyUsage'
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>> > Jun 15 13:20:19 debian pluto[27490]: |   FALSE
>> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
>> > Jun 15 13:20:19 debian pluto[27490]: | signature verification:
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
>> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>> > O=Org, OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
>> > O=Org, OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | authkey:
>> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>> > Jun 15 13:20:19 debian pluto[27490]: | signature verification:
>> > Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>> > Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
>> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
>> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>> > O=Org, OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
>> > O=Org, OU=org-unit, CN=root-ca'
>> > Jun 15 13:20:19 debian pluto[27490]: | authkey:
>> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>> > Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
>> > a path length of 0
>> > Jun 15 13:20:19 debian pluto[27490]: | Public key validated
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: no public key known for
>> > '10.0.81.82'
>> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: sending encrypted
>> > notification INVALID_KEY_INFORMATION to 10.0.81.82:500
> 
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org strongSwan - the Linux
> VPN Solution! www.strongswan.org Institute for Internet Technologies and
> Applications University of Applied Sciences Rapperswil CH-8640
> Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==


-- 
Gruss           * Holger Metschulat
  Holger        * e-mail: homer at stellwerke.de, http://home.arcor.de/estw
    "Internet-Nutzung ist ein Privileg und kein Recht."
       (Rechnerraum-Ordnung an der Uni von 1994)




More information about the Users mailing list