[strongSwan] Intermediate CAs - ordering important?
Andreas Steffen
andreas.steffen at strongswan.org
Wed Jun 16 06:58:53 CEST 2010
Hi Holger,
The "ikev1/multi-level-ca-ldap"scenario stores the intermediate CA
certs locally in /etc/ipsec.d/cacerts. The multiple authentication
failures occur due to the "strictcrlpolicy=yes" setting where the
CRLs issued by the intermediate CA and root CA must be fetched
asynchronously, first, resulting in several IKE packet retransmissions.
This is solved much more nicely in the multi-threaded IKEv2 daemon
where where the working thread just waits until all CRLs have been
fetched.
Regards
Andreas
the On 06/15/2010 09:39 PM, Holger Metschulat wrote:
> Hi Andreas,
>
> thanks for pointing this out, there is indeed a StrongSwan test case for
> this
> (http://www.strongswan.org/uml/testresults43/ikev1/multi-level-ca-ldap/moon.auth.log)
> but there it is done by multiple messages being exchanged after an IKE
> Key failure and then the Intermediate CAs being sent one after the other.
>
> So I am a bit worried what's correct...
>
> Holger
>
>
> Am 2010-06-15 20:18, schrieb Andreas Steffen:
>> Hi Holger,
>>
>> as far as I remember pluto supports the import of intermediate CA
>> certificates received via IKEv1 only if the are embedded together
>> with the end entity certificate in a PKCS#7 envelope. This is what
>> Microsoft Windows clients are typically doing. Since over the last
>> 10 years no one requested the inclusion of intermediate CA certs in
>> separate X.509 payloads I did not implement it.
>>
>> We plan to port the X.509 trust chain verification of the IKEv2
>> charon daemon back to pluto thus the inclusion of separate CA certs
>> might become feasible in the not too distant future.
>>
>> Regards
>>
>> Andreas
>>
>> On 06/15/2010 06:35 PM, Holger Metschulat wrote:
>>>> Hi all,
>>>>
>>>> I am trying to configure a certificate based VPN between a Juniper SRX
>>>> and StrongSwan 4.3.6.
>>>>
>>>> There are two CAs, CN=root-ca and CN=sub-ca. As the names indicate,
>>>> root-ca is self-signed and sub-ca is a CA signed by root-ca.
>>>>
>>>> The SRX's certificate is certified by sub-ca, StrongSwan's certificate
>>>> is signed by root-ca.
>>>>
>>>> SRX has installed the root-ca and sub-ca certificates; StrongSwan only
>>>> has root-ca's certificate configured as the CA cert.
>>>>
>>>> This means that the SRX has to send not only its own certificate, but
>>>> also sub-ca's certificate as the intermediate CA.
>>>>
>>>> This all works fine, however, I am ending up with "no public key known"
>>>> on the StrongSwan side for the SRX public key.
>>>>
>>>> I have observed that the order of the certificates received by
>>>> StrongSwan is SRX cert, sub-ca cert and then root-ca cert. After
>>>> reception of the SRX cert, it seems that StrongSwan drops that cert
>>>> because it can't verify the issuer and then never recovers when it
>>>> afterwards receives the intermediate CA:
>>>>
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
>>>>
>>>> Can anyone confirm? Thanks!
>>>>
>>>> Here are the detailed logs:
>>>>
>>>> Jun 15 13:20:19 debian pluto[27490]: | ICOOKIE: e8 0a 9f ce 96 52 a3 d6
>>>> Jun 15 13:20:19 debian pluto[27490]: | RCOOKIE: fb e9 79 82 92 62 7f 46
>>>> Jun 15 13:20:19 debian pluto[27490]: | peer: 0a 00 51 52
>>>> Jun 15 13:20:19 debian pluto[27490]: | state hash entry 15
>>>> Jun 15 13:20:19 debian pluto[27490]: | state object #5 found, in
>>>> STATE_MAIN_I3
>>>> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Identification
>>>> Payload:
>>>> Jun 15 13:20:19 debian pluto[27490]: | next payload type:
>>>> ISAKMP_NEXT_CERT
>>>> Jun 15 13:20:19 debian pluto[27490]: | length: 12
>>>> Jun 15 13:20:19 debian pluto[27490]: | ID type: ID_IPV4_ADDR
>>>> Jun 15 13:20:19 debian pluto[27490]: | DOI specific A: 17
>>>> Jun 15 13:20:19 debian pluto[27490]: | DOI specific B: 0
>>>> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
>>>> Jun 15 13:20:19 debian pluto[27490]: | next payload type:
>>>> ISAKMP_NEXT_CERT
>>>> Jun 15 13:20:19 debian pluto[27490]: | length: 784
>>>> Jun 15 13:20:19 debian pluto[27490]: | cert encoding: CERT_X509_SIGNATURE
>>>> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
>>>> Jun 15 13:20:19 debian pluto[27490]: | next payload type:
>>>> ISAKMP_NEXT_CERT
>>>> Jun 15 13:20:19 debian pluto[27490]: | length: 700
>>>> Jun 15 13:20:19 debian pluto[27490]: | cert encoding: CERT_X509_SIGNATURE
>>>> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
>>>> Jun 15 13:20:19 debian pluto[27490]: | next payload type: ISAKMP_NEXT_SIG
>>>> Jun 15 13:20:19 debian pluto[27490]: | length: 762
>>>> Jun 15 13:20:19 debian pluto[27490]: | cert encoding: CERT_X509_SIGNATURE
>>>> Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Signature Payload:
>>>> Jun 15 13:20:19 debian pluto[27490]: | next payload type:
>>>> ISAKMP_NEXT_NONE
>>>> Jun 15 13:20:19 debian pluto[27490]: | length: 260
>>>> Jun 15 13:20:19 debian pluto[27490]: | removing 10 bytes of padding
>>>> Jun 15 13:20:19 debian pluto[27490]: | protocol/port in Phase 1 ID
>>>> Payload is 17/0. accepted with port_floating NAT-T
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: Peer ID is ID_IPV4_ADDR:
>>>> '10.0.81.82'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
>>>> Jun 15 13:20:19 debian pluto[27490]: | X.509v3
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, L=Munich,
>>>> O=Org, OU=org-unit, CN=sub-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 13:10:56 UTC 2010'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 13:10:56 UTC 2011'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'CN=srx5600'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- > --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- > --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- < --
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- < --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'nsComment'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'OpenSSL Generated Certificate'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'subjectAltName'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - generalNames:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - generalName:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L8 - ipAddress:
>>>> Jun 15 13:20:19 debian pluto[27490]: | '10.0.81.82'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | subject: 'CN=srx5600'
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
>>>> L=Munich, O=Org, OU=org-unit, CN=sub-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | authkey:
>>>> 99:c8:85:a1:a1:4f:60:9a:1c:3a:6d:9e:f0:0f:3d:aa:d9:53:ef:71
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
>>>> Jun 15 13:20:19 debian pluto[27490]: | X.509v3
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org,
>>>> OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 11:30:22 UTC 2010'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 11:30:22 UTC 2011'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, L=Munich,
>>>> O=Org, OU=org-unit, CN=sub-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- > --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- > --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- < --
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- < --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'nsComment'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'OpenSSL Generated Certificate'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>>>> L=Munich, O=Org, OU=org-unit, CN=sub-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
>>>> O=Org, OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | authkey:
>>>> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>>>> Jun 15 13:20:19 debian pluto[27490]: | signature verification:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
>>>> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>>>> O=Org, OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
>>>> O=Org, OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | authkey:
>>>> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
>>>> a path length of 0
>>>> Jun 15 13:20:19 debian pluto[27490]: | Public key validated
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
>>>> Jun 15 13:20:19 debian pluto[27490]: | X.509v3
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org,
>>>> OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'Jun 14 19:42:33 UTC 2010'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'Jun 13 19:42:33 UTC 2013'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org,
>>>> OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- > --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- > --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- < --
>>>> Jun 15 13:20:19 debian pluto[27490]: | -- < --
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertIssuer:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertSerialNumber:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | TRUE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
>>>> Jun 15 13:20:19 debian pluto[27490]: | TRUE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'keyUsage'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
>>>> Jun 15 13:20:19 debian pluto[27490]: | FALSE
>>>> Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
>>>> Jun 15 13:20:19 debian pluto[27490]: | signature verification:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
>>>> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>>>> O=Org, OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
>>>> O=Org, OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | authkey:
>>>> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>>>> Jun 15 13:20:19 debian pluto[27490]: | signature verification:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
>>>> Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
>>>> Jun 15 13:20:19 debian pluto[27490]: | 'sha-1'
>>>> Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
>>>> Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
>>>> O=Org, OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria,
>>>> O=Org, OU=org-unit, CN=root-ca'
>>>> Jun 15 13:20:19 debian pluto[27490]: | authkey:
>>>> 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
>>>> Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
>>>> Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
>>>> a path length of 0
>>>> Jun 15 13:20:19 debian pluto[27490]: | Public key validated
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: no public key known for
>>>> '10.0.81.82'
>>>> Jun 15 13:20:19 debian pluto[27490]: "srx" #5: sending encrypted
>>>> notification INVALID_KEY_INFORMATION to 10.0.81.82:500
>>
>> --
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org strongSwan - the Linux
>> VPN Solution! www.strongswan.org Institute for Internet Technologies and
>> Applications University of Applied Sciences Rapperswil CH-8640
>> Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list