[strongSwan] strongswan how to check certreq and how to build certreq field

Jun Yin hansyin at gmail.com
Thu Nov 22 02:21:22 CET 2012


Thanks you very much, you helped me a lot.

now the problem 1&2 are resolved, I could specify which CA to be sent
in certreq now.
For question 3, still something wrong.

>From my decrypted packet, I can see strongswan send out:

Certificate Authority Data: 2b6d55461e944f4e1eb197fedaf1bbeba2011c90

I calculated the value by myself with your command:

root at pc161:~# openssl x509 -in
/etc/ipsec.d/cacerts/cacert_hans_216_sub3_ca.pem -outform der -out
root at pc161:~# hash=`sha1sum cert.der | awk '{ print $1 }'`
root at pc161:~# echo $hash
root at pc161:~# sha1sum cert.der
5cf9759c64f7fd5cd28b47a3d1ac7f2ef4ee76c1  cert.der

The value does not match!   I must did something wrong. Could you help
me to figure out?  I attached my cacert in this email.  Thanks again.

On Wed, Nov 21, 2012 at 12:09 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> On 11/21/2012 08:47 PM, Jun Yin wrote:
>> Hi,
>> I know certreq should be filled by part of hash of certificate
>> authority, but I don't know an easy way to calculate it by myself.
>>> From my debug:
>> Nov 20 18:09:15 pc161 charon: 16[IKE] local host is behind NAT,
>> sending keep alives
>> Nov 20 18:09:15 pc161 charon: 16[IKE] received 1 cert requests for an
>> unknown ca
>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216,
>> E=hans_216 at stress.com"
>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
>> E=hans_216_sub2 at stress.com"
>> Nov 20 18:09:16 pc161 charon: 16[IKE] authentication of 'C=CA, ST=bc,
>> L=vancouver, O=fortinet, OU=qa, CN=dut2_sub3_alt,
>> E=dut2_sub3 at stress.com' (myself) with RSA signature successful
>> 1. The second line said "requests for an unknown ca".     I don't know
>> why, I suppose I have all relevant cacert in directory
>> /etc/ipsec.d/cacert.  So, is that means my peer sending a wrong value
>> in certreq field?
> Probably yes, since all CA certificates from /etc/ipsec.d/cacerts/
> or loaded via ca sections in /etc/ipsec.conf are checked.
>> 2. The third and fourth line said we're building our certreq field and
>> sending it. My questions is how do strongswan choose cacert to send? I
>> actually have 4 cacert in my directory /etc/ipsec.d/cacert. Why do
>> strongswan choose two of them? which kind of rule?
> By default the SHA1 hashes of all CA certificates in
> /etc/ipsec.d/cacerts/ and optionally loaded via ca sections in
> /etc/ipsec.conf are sent in the CERTREQ but if you define
> rightca = "<Subject Distinguished Name of CA>
> in the connection definition then only the given CA will be requested.
>> 3. To confirm if strongswan are sending correct certreq, is there a
>> way to calculate certreq field value by ourself? like an openssl
>> command?
> Use these commands:
>   openssl x509 -in cert.pem -outform der -out cert.der
>   hash=`sha1sum cert.der | awk '{ print $1 }'`
>> Thanks!
> Regards
> Andreas
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==


Hans Yin
Web:   http://sourceforge.net/projects/autotestnet/
Email:  hansyin at gmail.com
MSN:   hansyin at hotmail.com
Skype: hans_yin_vancouver
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert_hans_216_sub3_ca.pem
Type: application/octet-stream
Size: 2520 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121121/200e6c1d/attachment.obj>

More information about the Users mailing list