[strongSwan] Certificates no longer valid

NGO MAEMBLE Ruth-Stephanie ruth-stephanie.ngomaemble at thalesgroup.com
Mon Apr 2 14:53:46 CEST 2012 

Hello,

I'm working on the automated tests of strongSwan-4.6.2. I have a problem with two tests of yours : "ikev2/ocsp-signer-cert" and "ikev2/ocsp-timeouts-good". The second one is based on the first. Both indicate a certificate invalidity (see moon's daemon.log file below). On your website they probably passed because you launched them on February 20th 2012, and these certificate were valid until February 24th 2012.
Could you please let me know if there is an evolution of these tests ? Should I regenerate certificates by myself to pass them ?

Moon's daemon.log file extracted from the test "ikev2/ocsp-signer-cert" :

Mar 28 21:23:20 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2)
Mar 28 21:23:20 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 28 21:23:20 moon charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Mar 28 21:23:20 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 28 21:23:20 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 28 21:23:20 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 28 21:23:20 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 28 21:23:20 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 28 21:23:20 moon charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Mar 28 21:23:20 moon charon: 00[KNL] listening on interfaces:
Mar 28 21:23:20 moon charon: 00[KNL]   eth0
Mar 28 21:23:20 moon charon: 00[KNL]     192.168.0.1
Mar 28 21:23:20 moon charon: 00[KNL]     fec0::1
Mar 28 21:23:20 moon charon: 00[KNL]     fe80::fcfd:c0ff:fea8:1
Mar 28 21:23:20 moon charon: 00[KNL]   eth1
Mar 28 21:23:20 moon charon: 00[KNL]     10.1.0.1
Mar 28 21:23:20 moon charon: 00[KNL]     fec1::1
Mar 28 21:23:20 moon charon: 00[KNL]     fe80::fcfd:aff:fe01:1
Mar 28 21:23:20 moon charon: 00[DMN] loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
Mar 28 21:23:20 moon charon: 00[JOB] spawning 16 worker threads
Mar 28 21:23:20 moon charon: 08[CFG] received stroke: add ca 'strongswan-ca'
Mar 28 21:23:20 moon charon: 08[CFG] added ca 'strongswan-ca'
Mar 28 21:23:20 moon charon: 09[CFG] received stroke: add connection 'rw'
Mar 28 21:23:20 moon charon: 09[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Mar 28 21:23:20 moon charon: 09[CFG] added configuration 'rw'
Mar 28 21:23:22 moon charon: 05[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500]
Mar 28 21:23:22 moon charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 28 21:23:22 moon charon: 05[IKE] 192.168.0.100 is initiating an IKE_SA
Mar 28 21:23:23 moon charon: 05[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Mar 28 21:23:23 moon charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 28 21:23:23 moon charon: 05[NET] sending packet: from 192.168.0.1[500] to 192.168.0.100[500]
Mar 28 21:23:23 moon charon: 04[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
Mar 28 21:23:23 moon charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar 28 21:23:23 moon charon: 04[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Mar 28 21:23:23 moon charon: 04[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org<mailto:CN=carol at strongswan.org>"
Mar 28 21:23:23 moon charon: 04[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]
Mar 28 21:23:23 moon charon: 04[CFG] selected peer config 'rw'
Mar 28 21:23:23 moon charon: 04[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org<mailto:CN=carol at strongswan.org>"
Mar 28 21:23:23 moon charon: 04[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Mar 28 21:23:23 moon charon: 04[CFG] subject certificate invalid (valid from Feb 25 08:58:57 2007 to Feb 24 08:58:57 2012)
Mar 28 21:23:23 moon charon: 04[IKE] no trusted RSA public key found for 'carol at strongswan.org'
Mar 28 21:23:23 moon charon: 04[IKE] peer supports MOBIKE
Mar 28 21:23:23 moon charon: 04[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 28 21:23:23 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
Mar 28 21:23:26 moon charon: 00[DMN] signal of type SIGINT received. Shutting down

Thanks and best regards,

Stéphanie Ngo Maemble



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/86b08432/attachment.html>

More information about the Users mailing list