[strongSwan] Certificates no longer valid
Andreas Steffen
andreas.steffen at strongswan.org
Tue Apr 3 18:53:12 CEST 2012
Hello Stéphanie,
you also have to update /etc/openssl/index.txt
http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/hosts/winnetou/etc/openssl/index.txt;h=728c18c126f4401c9b0984dada1db9a98e231c35;hb=ebf292bad0bd4cafb6edc3f49ae35804277874ea
on winnetou since the OCSP server is based on OpenSSL which gets
its status information from the index.txt file.
Regards
Andreas
On 03.04.2012 16:00, NGO MAEMBLE Ruth-Stephanie wrote:
> Hello,
>
> I am sorry but after updating carol's ocsp certificates according to the
> patch, both tests “ikev2/ocsp-signer-cert” and
> “ikev2/ocsp-timeouts-good” still fail... Here is moon's /daemon.log/
> file from test "ikev2/ocsp-signer-cert" :
>
> Apr 3 15:53:56 moon charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.6.2)
>
> Apr 3 15:53:56 moon charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
>
> Apr 3 15:53:56 moon charon: 00[CFG] loaded ca certificate "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA" from
> '/etc/ipsec.d/cacerts/strongswanCert.pem'
>
> Apr 3 15:53:56 moon charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
>
> Apr 3 15:53:56 moon charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
>
> Apr 3 15:53:56 moon charon: 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
>
> Apr 3 15:53:56 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>
> Apr 3 15:53:56 moon charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
>
> Apr 3 15:53:56 moon charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/moonKey.pem'
>
> Apr 3 15:53:56 moon charon: 00[KNL] listening on interfaces:
>
> Apr 3 15:53:56 moon charon: 00[KNL] eth0
>
> Apr 3 15:53:56 moon charon: 00[KNL] 192.168.0.1
>
> Apr 3 15:53:56 moon charon: 00[KNL] fec0::1
>
> Apr 3 15:53:56 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
>
> Apr 3 15:53:56 moon charon: 00[KNL] eth1
>
> Apr 3 15:53:56 moon charon: 00[KNL] 10.1.0.1
>
> Apr 3 15:53:56 moon charon: 00[KNL] fec1::1
>
> Apr 3 15:53:56 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
>
> Apr 3 15:53:56 moon charon: 00[DMN] loaded plugins: curl aes des sha1
> sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke
> kernel-netlink socket-default
>
> Apr 3 15:53:56 moon charon: 00[JOB] spawning 16 worker threads
>
> Apr 3 15:53:56 moon charon: 14[CFG] received stroke: add connection 'rw'
>
> Apr 3 15:53:56 moon charon: 14[CFG] loaded certificate "C=CH, O=Linux
> strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
>
> Apr 3 15:53:56 moon charon: 14[CFG] added configuration 'rw'
>
> Apr 3 15:53:59 moon charon: 06[NET] received packet: from
> 192.168.0.100[500] to 192.168.0.1[500]
>
> Apr 3 15:53:59 moon charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Apr 3 15:53:59 moon charon: 06[IKE] 192.168.0.100 is initiating an IKE_SA
>
> Apr 3 15:53:59 moon charon: 06[IKE] sending cert request for "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA"
>
> Apr 3 15:53:59 moon charon: 06[ENC] generating IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Apr 3 15:53:59 moon charon: 06[NET] sending packet: from
> 192.168.0.1[500] to 192.168.0.100[500]
>
> Apr 3 15:53:59 moon charon: 07[NET] received packet: from
> 192.168.0.100[4500] to 192.168.0.1[4500]
>
> Apr 3 15:53:59 moon charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
> CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>
> Apr 3 15:53:59 moon charon: 07[IKE] received cert request for "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA"
>
> Apr 3 15:53:59 moon charon: 07[IKE] received end entity cert "C=CH,
> O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org"
>
> Apr 3 15:53:59 moon charon: 07[CFG] looking for peer configs matching
> 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]
>
> Apr 3 15:53:59 moon charon: 07[CFG] selected peer config 'rw'
>
> Apr 3 15:53:59 moon charon: 07[CFG] using certificate "C=CH, O=Linux
> strongSwan, OU=OCSP, CN=carol at strongswan.org"
>
> Apr 3 15:53:59 moon charon: 07[CFG] using trusted ca certificate
> "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>
> Apr 3 15:53:59 moon charon: 07[CFG] checking certificate status of
> "C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org"
>
> Apr 3 15:53:59 moon charon: 07[CFG] requesting ocsp status from
> 'http://ocsp.strongswan.org:8880' ...
>
> Apr 3 15:53:59 moon charon: 07[CFG] using certificate "C=CH, O=Linux
> strongSwan, OU=OCSP Signing Authority, CN=ocsp.strongswan.org"
>
> Apr 3 15:53:59 moon charon: 07[CFG] using trusted ca certificate
> "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>
> Apr 3 15:53:59 moon charon: 07[CFG] reached self-signed root ca with
> a path length of 0
>
> Apr 3 15:53:59 moon charon: 07[CFG] ocsp response correctly signed by
> "C=CH, O=Linux strongSwan, OU=OCSP Signing Authority,
> CN=ocsp.strongswan.org"
>
> Apr 3 15:53:59 moon charon: 07[CFG] ocsp response contains no status
> on our certificate
>
> Apr 3 15:53:59 moon charon: 07[CFG] *ocsp check failed, fallback to crl*
>
> Apr 3 15:53:59 moon charon: 07[CFG] fetching crl from
> 'http://crl.strongswan.org/strongswan.crl' ...
>
> Apr 3 15:53:59 moon charon: 07[CFG] using trusted certificate "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA"
>
> Apr 3 15:53:59 moon charon: 07[CFG] crl correctly signed by "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA"
>
> Apr 3 15:53:59 moon charon: 07[CFG] crl is valid: until May 03
> 15:49:26 2012
>
> Apr 3 15:53:59 moon charon: 07[CFG] certificate status is good
>
> Apr 3 15:53:59 moon charon: 07[CFG] reached self-signed root ca with
> a path length of 0
>
> Apr 3 15:53:59 moon charon: 07[IKE] authentication of
> 'carol at strongswan.org' with RSA signature successful
>
> Apr 3 15:53:59 moon charon: 07[IKE] peer supports MOBIKE
>
> Apr 3 15:53:59 moon charon: 07[IKE] authentication of
> 'moon.strongswan.org' (myself) with RSA signature successful
>
> Apr 3 15:53:59 moon charon: 07[IKE] IKE_SA rw[1] established between
> 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]
>
> Apr 3 15:53:59 moon charon: 07[IKE] scheduling reauthentication in 3348s
>
> Apr 3 15:53:59 moon charon: 07[IKE] maximum IKE_SA lifetime 3528s
>
> Apr 3 15:53:59 moon charon: 07[IKE] sending end entity cert "C=CH,
> O=Linux strongSwan, CN=moon.strongswan.org"
>
> Apr 3 15:53:59 moon charon: 07[IKE] CHILD_SA rw{1} established with
> SPIs c6235c4c_i c7a5fcbe_o and TS 10.1.0.0/16 === 192.168.0.100/32
>
> Apr 3 15:53:59 moon charon: 07[ENC] generating IKE_AUTH response 1 [
> IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_6_ADDR) N(ADD_6_ADDR) ]
>
> Apr 3 15:53:59 moon charon: 07[NET] sending packet: from
> 192.168.0.1[4500] to 192.168.0.100[4500]
>
> Apr 3 15:54:03 moon charon: 00[DMN] signal of type SIGINT received.
> Shutting down
>
> Apr 3 15:54:03 moon charon: 00[IKE] deleting IKE_SA rw[1] between
> 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]
>
> Apr 3 15:54:03 moon charon: 00[IKE] sending DELETE for IKE_SA rw[1]
>
> Apr 3 15:54:03 moon charon: 00[ENC] generating INFORMATIONAL request 0
> [ D ]
>
> Apr 3 15:54:03 moon charon: 00[NET] sending packet: from
> 192.168.0.1[4500] to 192.168.0.100[4500]
>
>
>
> Is that normal ?
>
>
>
> Thanks,
>
>
>
> Stéphanie
>
>
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120403/7cf15372/attachment.bin>
More information about the Users
mailing list