[strongSwan] CRL response with Strongswan 4
Fabrice Barconnière
fabrice.barconniere at ac-dijon.fr
Mon Dec 10 16:42:44 CET 2012
Hello,
I've built Strongswan 4.6.4 and tried it. I've the same problem but logs
are differents :
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] using certificate "C=fr,
O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15"
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] using trusted ca
certificate "C=fr, O=gouv, CN=RACINE AGRIATES"
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] checking certificate
status of "C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15"
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] using trusted
certificate "C=fr, O=gouv, CN=RACINE AGRIATES"
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] using certificate "C=fr,
O=gouv, CN=RACINE AGRIATES"
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] no issuer certificate
found for "C=fr, O=gouv, CN=RACINE AGRIATES"
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] crl response verification
failed
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] fetching crl from
'http://crl1.igc.education.fr/agriates.crl' ...
Dec 10 16:00:02 sphynxtestha1 charon: 15[CFG] using trusted
certificate "C=fr, O=gouv, CN=RACINE AGRIATES"
Dec 10 16:00:03 sphynxtestha1 charon: 15[CFG] using certificate "C=fr,
O=gouv, CN=RACINE AGRIATES"
Dec 10 16:00:03 sphynxtestha1 charon: 15[CFG] no issuer certificate
found for "C=fr, O=gouv, CN=RACINE AGRIATES"
Dec 10 16:00:03 sphynxtestha1 charon: 15[CFG] crl response verification
failed
It says no issuer certificate found for "C=fr, O=gouv, CN=RACINE
AGRIATES" but it is the issuer.
openssl x509 -in cacert.pem -text -noout returns this :
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:35:ae:18:bd:3a:33:63:43:b8:c1:b0:e4:28:f7:22
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=fr, O=gouv, CN=RACINE AGRIATES
Validity
Not Before: Dec 9 13:26:42 2009 GMT
Not After : Nov 30 01:00:02 2020 GMT
Subject: C=fr, O=gouv, CN=RACINE AGRIATES
........
Is it because something is missing or bad in 'identities' table ?
In my 'identities' table :
INSERT INTO "identities"
VALUES(39,9,X'3036310B3009060355040613026672310D300B060355040A1304676F7576311830160603550403130F524143494E45204147524941544553');
INSERT INTO "identities"
VALUES(3111,11,X'7ABCB468F8B1A23244C9D0EBFD9E06C256012B03');
for the CA certificate in 'certificates' table :
INSERT INTO "certificates"
VALUES(3,1,1,X'2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D49494462444343416C536741774942416749514B545775474C30364D324E44754D477735436A33496A414E42676B71686B69473977304241515546414441320A4D517377435159445651514745774A6D636A454E4D4173474131554543684D455A323931646A45594D4259474131554541784D50556B464453553546494546480A556B6C42564556544D423458445441354D5449774F54457A4D6A59304D6C6F58445449774D54457A4D4441784D4441774D6C6F774E6A454C4D416B47413155450A42684D435A6E49784454414C42674E5642416F5442476476645859784744415742674E5642414D5444314A4251306C4F5253424252314A4A51565246557A43430A415349774451594A4B6F5A496876634E4151454242514144676745504144434341516F4367674542414C625A5836504E3433516F55725034556C33734E502B490A356F6C792B6C4A736159505235566F6B4237574975552B484358325639445675735064713433744A663243736968304F2B6654344D324B57492F36436B5247670A436861564A316433774231613731544D43666F69686A6B5975354E54494C6D5036432B584E4367647334615946345251574A64622B6D687142354E57556D72410A4E764A6852374C5942744C6A35663276634F744C7A6C4C46434B375673757A2B79376A2B373632464A326B566A635854514D4656377A644E71494172453131770A39744364314969724F6C4836464732594368577630713647765350552B6B3651676D55732F6E3472482F5354372B3552534E70313837485A747368346D3364370A594F38766C5071625633773041784255485A7A62786A75702F3339634D6A6D57656E394C3752475543357242737A30722B526A5345494A4E36716334325045430A4177454141614E324D4851774551594A59495A49415962345167454242415144416741484D41384741315564457745422F7751464D414D4241663877485159440A5652304F424259454648713874476A3473614979524D6E51362F326542734A57415373444D41344741315564447745422F77514541774942686A416642674E560A48534D454744415767425236764C526F2B4C47694D6B544A304F76396E67624356674572417A414E42676B71686B6947397730424151554641414F43415145410A656C7136517136675376747876646E5A496253787935576E474C6F6B593155526C414A5562435849544365362B5155486C535166695A312B46657146427435610A5A443942523266484C625275324A6532364957654D626A767346583143666E4E763243725973532B476533475456583574594D6350725049704B474F533747530A5859524647503835525A6776646D355544385936786367615147382B453955715A5A3656717963624F39784A696E3144364B6B646E6233534D2F3135705A53690A345A654A372B5A514C7471714C7855614739544875484F53553277306C34496756656E786468676D396F31473143474C746875747072444F42537448356238730A494A68534D726A7351776633327458367132346666676841633055556E76683750776F4D2F54492B6C50446349754F6B4B5674507968415239494D4D6A4768430A415A464B437247395350366F306B2F434E31787548673D3D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0A');
RACINE AGRIATES is not a local CA.
thanks,
Fabrice
Le 26/11/2012 16:00, Fabrice Barconnière a écrit :
> Le 26/11/2012 15:00, Andreas Steffen a écrit :
>> Hi Fabrice,
>>
>> does the Authority Key Identifier contained in the CRL
>> equal the Subject Key Identifier of the CA certificate?
>>
>> This means: Is the signer of the CRL the same authority
>> which signed the end-entity certificates?
>>
>> On 26.11.2012 13:29, Fabrice Barconnière wrote:
>>> CRL extensions:
>>> X509v3 Authority Key Identifier:
>>> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
>> Regards
>>
>> Andreas
>>
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
> keyid in crl:
> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
>
> keyid of CA certificate (with . dump extract):
> INSERT INTO "certificates" VALUES(3,1,1,X'the CA certificate');
> INSERT INTO "identities"
> VALUES(3111,11,X'7ABCB468F8B1A23244C9D0EBFD9E06C256012B03');
> INSERT INTO "certificate_identity" VALUES(3,3111);
> INSERT INTO "certificate_authorities" VALUES(39,3);
> openssl x509 -in cacert.pem -text -noout returns:
> .......
> X509v3 extensions:
> Netscape Cert Type:
> SSL CA, S/MIME CA, Object Signing CA
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Subject Key Identifier:
> 7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
> X509v3 Key Usage: critical
> Digital Signature, Certificate Sign, CRL Sign
> X509v3 Authority Key Identifier:
> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
> ........
>
> Note that there is no file in /etc/ipsec.d/crls/
> I don't know if it is a normal behaviour in database mode.
>
> End entity certificate:
> Serial Number:
> dd:9e:07:6b:bd:26:2d:62:6f:fa:b0:0b:6f:fb:74:05
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=fr, O=gouv, CN=RACINE AGRIATES
> Validity
> Not Before: Mar 22 09:32:39 2010 GMT
> Not After : Mar 22 09:32:39 2015 GMT
> Subject: C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:a0:09:32:b4:88:5e:8e:af:70:0c:ec:d2:10:a3:
> .................
> 95:d5:1d:f9:12:f6:11:2f:af:c5:06:56:c3:ad:80:
> f4:17
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment
> Netscape Cert Type:
> Object Signing
> X509v3 Authority Key Identifier:
> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
>
> keyid is the same everywhere :-/
>
> Regards,
> Fabrice
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
More information about the Users
mailing list