[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

richter at ecos.de richter at ecos.de
Fri Oct 12 11:59:03 CEST 2012


Hi,

> 
> > You can't tell me that (Aladdin/Safenet) eTokens are exotic...
> 
> It's not about the token itself, but how the keys and certificates are deployed
> on it.
>

Yes, of course it's not the token, but the windows software that comes with Aladdin/Safenet Tokens is the standard software that everybody uses who uses eToken on Windows and I think eToken are widely used.

> 
> I'll have a look at it next week, shouldn't be too hard to implement this
> fallback.
> 

[[GR]] Thanks!

> > I have two certificates with the same subject (different usage (sign,
> > encrypt). So is there a way to tell strongswan which certificate to
> > use (I can't change the smartcard)?
> 
> No, currently not.

[[GR]] Ok, can you tell me where in the source the certificate selection takes place?

> 
> > And why is the private key found during "ipsec secrets", but not when
> > I start the connection:
> 
> The loaded private key is later looked up using the computed fingerprint.
> Either the pkcs11 backend can't fingerprint the associated public key, or the
> fingerprints don't match.
> 

[[GR]] The "computed fingerprint" of what? 
Do I understand right:

1 the certificate is selected using the first certificate that has a matching subject  compared to leftid
2 the fingerprint of the associated public key is computed
3 from any private key, you compute the public key and compute the fingerprint of that public key
4 These fingerprints from 3 are compared the fingerprint from 2 and the matching one is selected

In this case we have a pkcs11 from our customer, so that might have a problem, so I like to understand how strongswan is selecting the key, so I can figure out if it is a pkcs11 or strongswan problem.

Thanks & Regards

Gerald



> Regards
> Martin






More information about the Users mailing list