[strongSwan] Certificates no longer valid

NGO MAEMBLE Ruth-Stephanie ruth-stephanie.ngomaemble at thalesgroup.com
Tue Apr 3 16:00:46 CEST 2012 

Hello,



I am sorry but after updating carol's ocsp certificates according to the patch, both tests "ikev2/ocsp-signer-cert" and "ikev2/ocsp-timeouts-good" still fail... Here is moon's daemon.log file from test "ikev2/ocsp-signer-cert" :



Apr  3 15:53:56 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2)

Apr  3 15:53:56 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Apr  3 15:53:56 moon charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'

Apr  3 15:53:56 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Apr  3 15:53:56 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Apr  3 15:53:56 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Apr  3 15:53:56 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Apr  3 15:53:56 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Apr  3 15:53:56 moon charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'

Apr  3 15:53:56 moon charon: 00[KNL] listening on interfaces:

Apr  3 15:53:56 moon charon: 00[KNL]   eth0

Apr  3 15:53:56 moon charon: 00[KNL]     192.168.0.1

Apr  3 15:53:56 moon charon: 00[KNL]     fec0::1

Apr  3 15:53:56 moon charon: 00[KNL]     fe80::fcfd:c0ff:fea8:1

Apr  3 15:53:56 moon charon: 00[KNL]   eth1

Apr  3 15:53:56 moon charon: 00[KNL]     10.1.0.1

Apr  3 15:53:56 moon charon: 00[KNL]     fec1::1

Apr  3 15:53:56 moon charon: 00[KNL]     fe80::fcfd:aff:fe01:1

Apr  3 15:53:56 moon charon: 00[DMN] loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default

Apr  3 15:53:56 moon charon: 00[JOB] spawning 16 worker threads

Apr  3 15:53:56 moon charon: 14[CFG] received stroke: add connection 'rw'

Apr  3 15:53:56 moon charon: 14[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'

Apr  3 15:53:56 moon charon: 14[CFG] added configuration 'rw'

Apr  3 15:53:59 moon charon: 06[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500]

Apr  3 15:53:59 moon charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Apr  3 15:53:59 moon charon: 06[IKE] 192.168.0.100 is initiating an IKE_SA

Apr  3 15:53:59 moon charon: 06[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Apr  3 15:53:59 moon charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

Apr  3 15:53:59 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to 192.168.0.100[500]

Apr  3 15:53:59 moon charon: 07[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]

Apr  3 15:53:59 moon charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]

Apr  3 15:53:59 moon charon: 07[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Apr  3 15:53:59 moon charon: 07[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org"

Apr  3 15:53:59 moon charon: 07[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]

Apr  3 15:53:59 moon charon: 07[CFG] selected peer config 'rw'

Apr  3 15:53:59 moon charon: 07[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org"

Apr  3 15:53:59 moon charon: 07[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Apr  3 15:53:59 moon charon: 07[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org"

Apr  3 15:53:59 moon charon: 07[CFG]   requesting ocsp status from 'http://ocsp.strongswan.org:8880' ...

Apr  3 15:53:59 moon charon: 07[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=OCSP Signing Authority, CN=ocsp.strongswan.org"

Apr  3 15:53:59 moon charon: 07[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Apr  3 15:53:59 moon charon: 07[CFG]   reached self-signed root ca with a path length of 0

Apr  3 15:53:59 moon charon: 07[CFG]   ocsp response correctly signed by "C=CH, O=Linux strongSwan, OU=OCSP Signing Authority, CN=ocsp.strongswan.org"

Apr  3 15:53:59 moon charon: 07[CFG]   ocsp response contains no status on our certificate

Apr  3 15:53:59 moon charon: 07[CFG] ocsp check failed, fallback to crl

Apr  3 15:53:59 moon charon: 07[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...

Apr  3 15:53:59 moon charon: 07[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Apr  3 15:53:59 moon charon: 07[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Apr  3 15:53:59 moon charon: 07[CFG]   crl is valid: until May 03 15:49:26 2012

Apr  3 15:53:59 moon charon: 07[CFG] certificate status is good

Apr  3 15:53:59 moon charon: 07[CFG]   reached self-signed root ca with a path length of 0

Apr  3 15:53:59 moon charon: 07[IKE] authentication of 'carol at strongswan.org' with RSA signature successful

Apr  3 15:53:59 moon charon: 07[IKE] peer supports MOBIKE

Apr  3 15:53:59 moon charon: 07[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful

Apr  3 15:53:59 moon charon: 07[IKE] IKE_SA rw[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]

Apr  3 15:53:59 moon charon: 07[IKE] scheduling reauthentication in 3348s

Apr  3 15:53:59 moon charon: 07[IKE] maximum IKE_SA lifetime 3528s

Apr  3 15:53:59 moon charon: 07[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Apr  3 15:53:59 moon charon: 07[IKE] CHILD_SA rw{1} established with SPIs c6235c4c_i c7a5fcbe_o and TS 10.1.0.0/16 === 192.168.0.100/32

Apr  3 15:53:59 moon charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]

Apr  3 15:53:59 moon charon: 07[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

Apr  3 15:54:03 moon charon: 00[DMN] signal of type SIGINT received. Shutting down

Apr  3 15:54:03 moon charon: 00[IKE] deleting IKE_SA rw[1] between 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]

Apr  3 15:54:03 moon charon: 00[IKE] sending DELETE for IKE_SA rw[1]

Apr  3 15:54:03 moon charon: 00[ENC] generating INFORMATIONAL request 0 [ D ]

Apr  3 15:54:03 moon charon: 00[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]



Is that normal ?



Thanks,



Stéphanie









-----Message d'origine-----
De : Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Envoyé : lundi 2 avril 2012 15:08
À : NGO MAEMBLE Ruth-Stephanie
Cc : users at lists.strongswan.org
Objet : Re: [strongSwan] Certificates no longer valid



Hello Stéphanie,



the expired OCSP key/certificate pair was renewed with the following

patch:



http://git.strongswan.org/?p=strongswan.git;a=commit;h=ebf292bad0bd4cafb6edc3f49ae35804277874ea



The updated test will be contained in the upcoming 4.6.3dr2 release.



Regards



Andreas



On 02.04.2012 14:53, NGO MAEMBLE Ruth-Stephanie wrote:

> Hello,

>

>

>

> I'm working on the automated tests of strongSwan-4.6.2. I have a problem

> with two tests of yours : "ikev2/ocsp-signer-cert" and

> "ikev2/ocsp-timeouts-good". The second one is based on the first. Both

> indicate a certificate invalidity (see moon's /daemon.log/ file below).

> On your website they probably passed because you launched them on

> February 20^th 2012, and these certificate were valid until February

> 24^th 2012.

>

> Could you please let me know if there is an evolution of these tests ?

> Should I regenerate certificates by myself to pass them ?

>

>

>

> Moon's /daemon.log/ file extracted from the test "ikev2/ocsp-signer-cert" :

>

>

>

> /Mar 28 21:23:20 moon charon: 00[DMN] Starting IKEv2 charon daemon

> (strongSwan 4.6.2) /

>

> /Mar 28 21:23:20 moon charon: 00[CFG] loading ca certificates from

> '/etc/ipsec.d/cacerts' /

>

> /Mar 28 21:23:20 moon charon: 00[CFG]   loaded ca certificate "C=CH,

> O=Linux strongSwan, CN=strongSwan Root CA" from

> '/etc/ipsec.d/cacerts/strongswanCert.pem' /

>

> /Mar 28 21:23:20 moon charon: 00[CFG] loading aa certificates from

> '/etc/ipsec.d/aacerts' /

>

> /Mar 28 21:23:20 moon charon: 00[CFG] loading ocsp signer certificates

> from '/etc/ipsec.d/ocspcerts' /

>

> /Mar 28 21:23:20 moon charon: 00[CFG] loading attribute certificates

> from '/etc/ipsec.d/acerts' /

>

> /Mar 28 21:23:20 moon charon: 00[CFG] loading crls from

> '/etc/ipsec.d/crls' /

>

> /Mar 28 21:23:20 moon charon: 00[CFG] loading secrets from

> '/etc/ipsec.secrets' /

>

> /Mar 28 21:23:20 moon charon: 00[CFG]   loaded RSA private key from

> '/etc/ipsec.d/private/moonKey.pem' /

>

> /Mar 28 21:23:20 moon charon: 00[KNL] listening on interfaces: /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]   eth0 /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]     192.168.0.1 /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]     fec0::1 /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]     fe80::fcfd:c0ff:fea8:1 /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]   eth1 /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]     10.1.0.1 /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]     fec1::1 /

>

> /Mar 28 21:23:20 moon charon: 00[KNL]     fe80::fcfd:aff:fe01:1 /

>

> /Mar 28 21:23:20 moon charon: 00[DMN] loaded plugins: curl aes des sha1

> sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke

> kernel-netlink socket-default /

>

> /Mar 28 21:23:20 moon charon: 00[JOB] spawning 16 worker threads /

>

> /Mar 28 21:23:20 moon charon: 08[CFG] received stroke: add ca

> 'strongswan-ca' /

>

> /Mar 28 21:23:20 moon charon: 08[CFG] added ca 'strongswan-ca' /

>

> /Mar 28 21:23:20 moon charon: 09[CFG] received stroke: add connection 'rw' /

>

> /Mar 28 21:23:20 moon charon: 09[CFG]   loaded certificate "C=CH,

> O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' /

>

> /Mar 28 21:23:20 moon charon: 09[CFG] added configuration 'rw' /

>

> /Mar 28 21:23:22 moon charon: 05[NET] received packet: from

> 192.168.0.100[500] to 192.168.0.1[500] /

>

> /Mar 28 21:23:22 moon charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA

> KE No N(NATD_S_IP) N(NATD_D_IP) ] /

>

> /Mar 28 21:23:22 moon charon: 05[IKE] 192.168.0.100 is initiating an

> IKE_SA /

>

> /Mar 28 21:23:23 moon charon: 05[IKE] sending cert request for "C=CH,

> O=Linux strongSwan, CN=strongSwan Root CA" /

>

> /Mar 28 21:23:23 moon charon: 05[ENC] generating IKE_SA_INIT response 0

> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] /

>

> /Mar 28 21:23:23 moon charon: 05[NET] sending packet: from

> 192.168.0.1[500] to 192.168.0.100[500] /

>

> /Mar 28 21:23:23 moon charon: 04[NET] received packet: from

> 192.168.0.100[4500] to 192.168.0.1[4500] /

>

> /Mar 28 21:23:23 moon charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi

> CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)

> N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] /

>

> /Mar 28 21:23:23 moon charon: 04[IKE] received cert request for "C=CH,

> O=Linux strongSwan, CN=strongSwan Root CA" /

>

> /Mar 28 21:23:23 moon charon: 04[IKE] received end entity cert "C=CH,

> O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org

> <mailto:CN=carol at strongswan.org>" /

>

> /Mar 28 21:23:23 moon charon: 04[CFG] looking for peer configs matching

> 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org] /

>

> /Mar 28 21:23:23 moon charon: 04[CFG] selected peer config 'rw' /

>

> /Mar 28 21:23:23 moon charon: 04[CFG]   using certificate "C=CH, O=Linux

> strongSwan, OU=OCSP, CN=carol at strongswan.org

> <mailto:CN=carol at strongswan.org>" /

>

> /Mar 28 21:23:23 moon charon: 04[CFG]   using trusted ca certificate

> "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" /

>

> /Mar 28 21:23:23 moon charon: 04[CFG] subject certificate invalid (valid

> from Feb 25 08:58:57 2007 to Feb 24 08:58:57 2012) /

>

> /Mar 28 21:23:23 moon charon: 04[IKE] no trusted RSA public key found

> for 'carol at strongswan.org' /

>

> /Mar 28 21:23:23 moon charon: 04[IKE] peer supports MOBIKE /

>

> /Mar 28 21:23:23 moon charon: 04[ENC] generating IKE_AUTH response 1 [

> N(AUTH_FAILED) ] /

>

> /Mar 28 21:23:23 moon charon: 04[NET] sending packet: from

> 192.168.0.1[4500] to 192.168.0.100[4500] /

>

> /Mar 28 21:23:26 moon charon: 00[DMN] signal of type SIGINT received.

> Shutting down/

>

>

>

> Thanks and best regards,

>

>

>

> Stéphanie Ngo Maemble

>



======================================================================

Andreas Steffen                         andreas.steffen at strongswan.org

strongSwan - the Linux VPN Solution!                www.strongswan.org

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil

CH-8640 Rapperswil (Switzerland)

===========================================================[ITA-HSR]==


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120403/5d5d15e6/attachment.html>

More information about the Users mailing list