[strongSwan] PEM vs DER certificate format

Thomas Egerer hakke_007 at gmx.de
Fri Dec 4 20:41:17 CET 2015 

Hello Martin,

as much as I can understand your anger about your broken strongswan
configuration, I would like to remind you that you're using a *free
of charge* software maintained by a number of very, very capable
people with a *top of the notch* documentation and support. You should
treat them with the respect they deserve and compose your mails
accordingly.
Consideringyour issue:

On 12/03/2015 04:20 PM, Martin Lund wrote:
> Hello,
> 
> Today I started to reconfiguring an existing StrongSwan 4.4 <>StrongSwan 4.4 vpn because the certs are about to expire soon.
Are you upgrading your strongswan or sticking to 4.4? If you're
sticking to your old version, then why would you think a change of
cert-encoding is required?

> 
> I was surprised that the current documentation on the strongswan site suggest to use some .DER (Binary) certification format:
> 
> https://wiki.strongswan.org/projects/1/wiki/SimpleCA
PEM support is available in any strongswan-version shipped, as long as
the pem plugin is loaded. You will not have to convert to DER for that
matter.

> 
> Why is this? Why did you had to change something which was working for years?
> Where do I even see the expiration date of this .der file?
> 
> At the old .PEM certificates at least it was obvious because I could set the number of days for expiration:
> https://www.strongswan.org/docs/readme4.htm
It seems you totally misunderstand the concept of certificate encoding.
PEM and DER are certificate formats (the former is ASCII-armored,
the latter binary). Refer to [1]. Otherwise it's simple to employ
openssl for a format conversion from PEM to DER and vice versa:
> openssl x509 inform (pem|der) -in cert -out converted -outform (der|pem)
Even pki itself has tons of options (including pem/der handling and
validity options [2]).

> 
> Considering that this .der identified by unix file as "data", it is junk for other devices like routers. How is this any better from .pem?
That's entirely wrong. It's a fact that the 'file'-binary does not
recognize it as ASN.1 (the encoding of the file), but if you run
dumpasn1 [3] on a DER file you will be suprised about the output.
I'm not sure if routers consider the file as junk, but you would you
store the certificates on a router?

> 
> After replacing the old .pems with .ders and restarting the vpn nodes I got id 'blahblah.com' not confirmed by certificate, defaulting to ... message so I had to remove the leftid/rightid directives which just making the config more secure but not even after this worked...
This warning is issued if the identity configured in strongswan.conf
cannot be found in the certificate. If you supply more information to
the list, I'm sure that someone will be able to help you.

> On Server:
> 
> Dec  3 14:01:08 vpntest1 charon: 14[CFG] no matching peer config found
> Dec  3 14:01:08 vpntest1 charon: 14[IKE] peer supports MOBIKE
> Dec  3 14:01:08 vpntest1 charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 
> On Client:
> Dec  3 14:01:08 vpntest2 charon: 05[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Dec  3 14:01:08 vpntest2 charon: 05[IKE] received AUTHENTICATION_FAILED notify error
Post your configuration along with more log information and the list
will be able to inspect your issue. Your log lacks information about IDs
and what charon is looking for, so noone will be able to solve your
problem based on these sparse infos.

> What no matching peer configuration? The server does not have to have any config files just it's own key+cert+cacert.
> 
> Please remove this new "der tutorial" from your website asap so people don't even see it
> !!!!!!!!!!!!
It's ridiculous to ask for the removal. If you think an important piece
of information is missing from the page, then go ahead and add it. It's
a wiki after all.

Cheers,
Thomas

P.S.: Calm down!


[1]
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
[2] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiSelf
[3] https://www.cs.auckland.ac.nz/~pgut001/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151204/ecb0830f/attachment.pgp>

More information about the Users mailing list