[strongSwan] Certificates no longer valid

Andreas Steffen andreas.steffen at strongswan.org
Mon Apr 2 15:08:11 CEST 2012


Hello Stéphanie,

the expired OCSP key/certificate pair was renewed with the following
patch:

http://git.strongswan.org/?p=strongswan.git;a=commit;h=ebf292bad0bd4cafb6edc3f49ae35804277874ea

The updated test will be contained in the upcoming 4.6.3dr2 release.

Regards

Andreas

On 02.04.2012 14:53, NGO MAEMBLE Ruth-Stephanie wrote:
> Hello,
> 
>  
> 
> I'm working on the automated tests of strongSwan-4.6.2. I have a problem
> with two tests of yours : “ikev2/ocsp-signer-cert” and
> “ikev2/ocsp-timeouts-good”. The second one is based on the first. Both
> indicate a certificate invalidity (see moon’s /daemon.log/ file below).
> On your website they probably passed because you launched them on
> February 20^th 2012, and these certificate were valid until February
> 24^th 2012.
> 
> Could you please let me know if there is an evolution of these tests ?
> Should I regenerate certificates by myself to pass them ?
> 
>  
> 
> Moon’s /daemon.log/ file extracted from the test “ikev2/ocsp-signer-cert” :
> 
>  
> 
> /Mar 28 21:23:20 moon charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.6.2) /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts' /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG]   loaded ca certificate "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA" from
> '/etc/ipsec.d/cacerts/strongswanCert.pem' /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts' /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts' /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts' /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls' /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets' /
> 
> /Mar 28 21:23:20 moon charon: 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/moonKey.pem' /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL] listening on interfaces: /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]   eth0 /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]     192.168.0.1 /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]     fec0::1 /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]     fe80::fcfd:c0ff:fea8:1 /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]   eth1 /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]     10.1.0.1 /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]     fec1::1 /
> 
> /Mar 28 21:23:20 moon charon: 00[KNL]     fe80::fcfd:aff:fe01:1 /
> 
> /Mar 28 21:23:20 moon charon: 00[DMN] loaded plugins: curl aes des sha1
> sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke
> kernel-netlink socket-default /
> 
> /Mar 28 21:23:20 moon charon: 00[JOB] spawning 16 worker threads /
> 
> /Mar 28 21:23:20 moon charon: 08[CFG] received stroke: add ca
> 'strongswan-ca' /
> 
> /Mar 28 21:23:20 moon charon: 08[CFG] added ca 'strongswan-ca' /
> 
> /Mar 28 21:23:20 moon charon: 09[CFG] received stroke: add connection 'rw' /
> 
> /Mar 28 21:23:20 moon charon: 09[CFG]   loaded certificate "C=CH,
> O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' /
> 
> /Mar 28 21:23:20 moon charon: 09[CFG] added configuration 'rw' /
> 
> /Mar 28 21:23:22 moon charon: 05[NET] received packet: from
> 192.168.0.100[500] to 192.168.0.1[500] /
> 
> /Mar 28 21:23:22 moon charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) ] /
> 
> /Mar 28 21:23:22 moon charon: 05[IKE] 192.168.0.100 is initiating an
> IKE_SA /
> 
> /Mar 28 21:23:23 moon charon: 05[IKE] sending cert request for "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA" /
> 
> /Mar 28 21:23:23 moon charon: 05[ENC] generating IKE_SA_INIT response 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] /
> 
> /Mar 28 21:23:23 moon charon: 05[NET] sending packet: from
> 192.168.0.1[500] to 192.168.0.100[500] /
> 
> /Mar 28 21:23:23 moon charon: 04[NET] received packet: from
> 192.168.0.100[4500] to 192.168.0.1[4500] /
> 
> /Mar 28 21:23:23 moon charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi
> CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] /
> 
> /Mar 28 21:23:23 moon charon: 04[IKE] received cert request for "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA" /
> 
> /Mar 28 21:23:23 moon charon: 04[IKE] received end entity cert "C=CH,
> O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org
> <mailto:CN=carol at strongswan.org>" /
> 
> /Mar 28 21:23:23 moon charon: 04[CFG] looking for peer configs matching
> 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org] /
> 
> /Mar 28 21:23:23 moon charon: 04[CFG] selected peer config 'rw' /
> 
> /Mar 28 21:23:23 moon charon: 04[CFG]   using certificate "C=CH, O=Linux
> strongSwan, OU=OCSP, CN=carol at strongswan.org
> <mailto:CN=carol at strongswan.org>" /
> 
> /Mar 28 21:23:23 moon charon: 04[CFG]   using trusted ca certificate
> "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" /
> 
> /Mar 28 21:23:23 moon charon: 04[CFG] subject certificate invalid (valid
> from Feb 25 08:58:57 2007 to Feb 24 08:58:57 2012) /
> 
> /Mar 28 21:23:23 moon charon: 04[IKE] no trusted RSA public key found
> for 'carol at strongswan.org' /
> 
> /Mar 28 21:23:23 moon charon: 04[IKE] peer supports MOBIKE /
> 
> /Mar 28 21:23:23 moon charon: 04[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ] /
> 
> /Mar 28 21:23:23 moon charon: 04[NET] sending packet: from
> 192.168.0.1[4500] to 192.168.0.100[4500] /
> 
> /Mar 28 21:23:26 moon charon: 00[DMN] signal of type SIGINT received.
> Shutting down/
> 
>  
> 
> Thanks and best regards,
> 
>  
> 
> Stéphanie Ngo Maemble
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/c20e07e4/attachment.bin>


More information about the Users mailing list