[strongSwan] Strongswan + Mac OSX

Claude Tompers claude.tompers at restena.lu
Mon Sep 10 13:47:40 CEST 2012 

Hi Martin,

I'm still under the impression that Mac OSX does not like my client
certificate.
Are there any special extensions that need to be set or that can not be
set ?
I've noticed that my certificate has some more attributes than yours,

Here's a copy of my client certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17 (0x11)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA,
CN=RESTENA VPN CA/emailAddress=admin at restena.lu
        Validity
            Not Before: Sep  7 07:26:06 2012 GMT
            Not After : Sep  6 07:26:06 2017 GMT
        Subject: C=LU, L=Luxembourg, O=Fondation RESTENA,
CN=ctompers/emailAddress=claude.tompers at restena.lu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:e6:be:81:bd:a6:a4:3a:22:38:e1:11:4d:ef:c6:
                    04:eb:04:af:9e:4d:0a:c3:d0:0c:3a:02:97:00:92:
                    82:80:8e:d2:46:e6:3d:36:6e:4a:00:ee:93:d9:30:
                    92:22:66:ed:68:e8:6f:1d:c0:1c:57:3d:b3:8d:74:
                    c4:27:c2:5e:9a:dd:61:ed:ec:1c:2c:b0:d3:87:9b:
                    8a:f3:22:a8:34:49:21:f5:a9:7b:78:a9:66:78:d0:
                    a6:ca:a7:16:1e:53:72:34:c0:d5:c6:e2:48:78:41:
                    40:b5:55:1b:ce:f0:a3:fd:0e:9f:98:1f:36:fc:a2:
                    e1:96:92:d1:7b:db:7a:29:5f:8a:c3:c3:01:54:7e:
                    48:23:78:85:bb:f0:87:86:3f:2d:f1:a6:fb:1d:0d:
                    d0:29:ba:58:6f:88:4d:3f:7a:f0:25:26:44:b6:c7:
                    e8:b0:17:01:b5:12:d0:d0:8b:58:04:6a:77:da:c5:
                    e9:c0:2d:3b:5e:27:47:19:63:ae:74:8c:e8:b3:9c:
                    d5:88:23:dc:cf:6c:f9:e8:b6:a1:8c:88:ca:1d:10:
                    8d:fd:80:66:61:20:d0:28:64:ff:e1:2b:07:8b:91:
                    7a:fb:8f:a1:dc:b7:8c:2e:d2:6a:7c:d8:57:30:8e:
                    3a:2d:93:ed:6d:e4:6b:91:70:10:ad:82:df:c5:7b:
                    09:08:0a:6a:64:d5:2c:e8:58:3e:73:31:c5:e0:9c:
                    6b:33:d1:19:7f:d8:6c:e6:5d:22:d1:ff:ec:3c:7f:
                    60:9b:1d:ad:91:8e:5d:5e:99:87:4e:60:71:cc:7d:
                    48:62:38:1f:d0:13:5d:f2:6d:97:91:17:81:fe:fc:
                    a1:85:e1:97:36:a4:7e:b3:8b:42:0b:11:dc:2a:6c:
                    7a:70:5c:72:f7:cd:57:a1:15:dc:04:f5:26:f3:1f:
                    59:07:2c:08:da:c2:5c:fb:24:13:85:1b:ba:9f:c2:
                    98:90:9b:3d:86:6a:e7:65:8d:9d:a9:ed:95:dd:21:
                    4c:bc:95:7f:1a:af:2e:73:dc:99:73:87:2d:57:5f:
                    57:35:31:72:09:2f:f2:51:af:92:68:dd:26:b3:73:
                    d9:d8:c2:ab:68:e9:77:13:6b:4b:62:01:3e:e5:b9:
                    52:05:a3:ff:f1:bc:28:d2:2a:e5:40:78:d4:a4:03:
                    1e:9f:1f:3b:a1:7f:16:c7:8b:52:c1:45:86:6e:16:
                    11:34:8c:b7:12:db:4a:94:0f:dc:89:31:73:be:f2:
                    00:7c:77:ce:a6:08:12:af:32:38:69:35:60:95:82:
                    82:fd:e4:0c:ee:3c:94:02:e2:05:44:64:c3:eb:6c:
                    73:2e:78:70:a7:fb:84:69:92:33:b0:11:10:a9:eb:
                    65:34:0d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME, Object Signing
            Netscape Comment:
                RESTENA VPN Client Certificate
            X509v3 Subject Key Identifier:
                57:50:91:24:6B:0F:19:9A:76:78:B1:5E:6F:8B:D0:D4:93:A8:1A:16
            X509v3 Authority Key Identifier:
               
keyid:F8:FD:2F:DA:23:BE:EE:8B:B4:FD:2B:D0:98:5C:C1:5F:1E:5B:74:AC
                DirName:/C=LU/ST=n/a/L=Luxembourg/O=Fondation
RESTENA/CN=RESTENA VPN CA/emailAddress=admin at restena.lu
                serial:8D:CC:1F:4A:8D:C6:FA:CE

            X509v3 Issuer Alternative Name:
                <EMPTY>

            X509v3 Subject Alternative Name:
                email:claude.tompers at restena.lu
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
        78:bb:29:50:16:75:bb:e4:af:a5:10:ad:81:e8:b4:57:cb:fe:
        22:16:c0:35:eb:85:a1:ca:a4:f4:51:68:3b:42:9b:16:93:4a:
        af:b8:11:32:13:cb:4e:08:f9:3f:25:80:76:9c:7f:30:17:d8:
        46:28:76:43:7e:c1:28:9f:e5:c6:ac:3a:65:c6:c0:34:1a:18:
        88:1f:14:82:53:a2:aa:9b:de:68:25:05:4d:13:fa:60:ef:38:
        33:b2:0c:b0:65:b2:c5:a3:34:2d:a6:c8:5a:e5:26:12:79:a2:
        a1:5e:3e:16:b0:f4:15:6f:f7:ce:79:47:be:24:35:c6:d9:da:
        ed:b5:ab:1e:c4:51:f5:f3:5e:5f:fe:7f:d9:59:98:69:bc:e5:
        55:5b:76:00:f6:49:b1:fc:ce:6e:0f:1e:bd:b7:2c:f9:8d:7b:
        83:d1:86:64:24:a4:97:d2:55:c9:f7:7e:bf:b8:47:0b:93:eb:
        4b:7e:8d:67:ea:ca:4c:30:57:e8:01:79:d5:aa:33:45:e1:ca:
        40:34:69:e9:a1:42:24:2a:5b:73:83:de:f8:55:8f:20:94:cd:
        6f:a9:c8:44:5f:3b:59:18:8f:e4:d0:1a:ac:01:d0:37:c6:ea:
        9d:da:81:fe:8e:33:f7:58:95:68:cf:de:6e:df:26:3a:07:2e:
        b0:33:95:68:4b:c5:38:0f:a0:8c:65:71:1c:04:f8:5c:dd:88:
        ca:67:1a:3a:5d:69:24:e8:f8:65:f1:38:02:c9:57:1f:e2:8d:
        e0:09:6e:11:cd:31:e3:40:7d:2f:4c:2b:c3:51:72:d2:93:73:
        46:5a:01:f6:fa:28:e8:1c:86:73:71:de:fa:12:16:7e:e1:b7:
        2a:34:a8:07:da:5d:33:83:16:c6:09:10:31:79:21:2d:54:f0:
        da:8b:bf:d0:50:4b:a1:5b:3e:ec:4a:01:fe:fb:b5:59:eb:d4:
        53:1d:67:0a:81:ff:97:31:90:fe:cd:74:b3:2a:59:b4:80:75:
        52:2a:a9:2f:fe:1d:41:2e:1c:ec:99:4c:c0:6c:22:a6:63:be:
        b5:98:48:a5:5e:61:3c:65:d7:1a:ab:56:5a:07:49:b5:5c:5a:
        b6:b1:80:a1:f7:3b:fe:df:4a:48:ba:44:40:a7:7e:cd:46:98:
        a9:b1:2a:98:91:7d:24:88:6f:23:cc:ba:1b:91:24:61:6b:7a:
        46:89:64:9d:24:af:f8:4e:83:d7:b5:3c:67:cb:5a:d0:42:a5:
        a6:b7:f1:0d:a5:27:f9:ce:d8:26:49:a1:0a:22:77:a0:b1:d8:
        73:c7:96:23:09:82:e0:e9:ef:4f:d4:55:92:e0:98:9f:60:9b:
        7e:77:05:8d:4d:a6:68:f2


kind regards,
Claude


On 09/06/2012 12:20 PM, Martin Willi wrote:
> Claude,
>
>> The other Mountain Lion had the exact same behaviour as mine (also
>> 10.8.1),
> Strange, as my 10.8.1 works just fine.
>
>> the one with Lion installed 'only' complained about not being
>> able to verify the server certificate.
> Please be aware that Hybrid authentication did not work correctly in
> Lion, failing with a certificate validation error. You'll have to use a
> client certificate on Lion.
>
>> I also found this topic in an Apple Forum [...] I'm wondering if that
>> problem is related.
> Hard to say. One thing to consider with Mountain Lion is that
> certificates now need a proper ACL on the private key for authentication
> (set to racoon). This might be the problem with that L2TP/IPsec issue,
> but not with Hybrid authenticated clients (and your error, the profile
> installer sets ACLs just fine).
>
> You may try to test against our revobox demo setup [1] that uses
> strongSwan and works fine here. An iOS / OS X profile is available at
> [2], after installation you should be able to connect with "tester" /
> "test". If this works, something is wrong with your setup, if not,
> something with your Mac.
>
> Regards
> Martin
>
> [1]http://demo.revosec.ch/
> [2]https://master.revosec.net/device/mobileconfig/62IUAFQH/62IUAFQH.mobileconfig
>


-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120910/d319e281/attachment.pgp>

More information about the Users mailing list