[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?
richter at ecos.de
richter at ecos.de
Fri Oct 12 11:59:03 CEST 2012
Hi,
>
> > You can't tell me that (Aladdin/Safenet) eTokens are exotic...
>
> It's not about the token itself, but how the keys and certificates are deployed
> on it.
>
Yes, of course it's not the token, but the windows software that comes with Aladdin/Safenet Tokens is the standard software that everybody uses who uses eToken on Windows and I think eToken are widely used.
>
> I'll have a look at it next week, shouldn't be too hard to implement this
> fallback.
>
[[GR]] Thanks!
> > I have two certificates with the same subject (different usage (sign,
> > encrypt). So is there a way to tell strongswan which certificate to
> > use (I can't change the smartcard)?
>
> No, currently not.
[[GR]] Ok, can you tell me where in the source the certificate selection takes place?
>
> > And why is the private key found during "ipsec secrets", but not when
> > I start the connection:
>
> The loaded private key is later looked up using the computed fingerprint.
> Either the pkcs11 backend can't fingerprint the associated public key, or the
> fingerprints don't match.
>
[[GR]] The "computed fingerprint" of what?
Do I understand right:
1 the certificate is selected using the first certificate that has a matching subject compared to leftid
2 the fingerprint of the associated public key is computed
3 from any private key, you compute the public key and compute the fingerprint of that public key
4 These fingerprints from 3 are compared the fingerprint from 2 and the matching one is selected
In this case we have a pkcs11 from our customer, so that might have a problem, so I like to understand how strongswan is selecting the key, so I can figure out if it is a pkcs11 or strongswan problem.
Thanks & Regards
Gerald
> Regards
> Martin
More information about the Users
mailing list