[strongSwan] ECDSA secp384r1 SHA384 Certificates do not work on Windows 10 and Server 2012 throw error 13806

Mark M mark076h at yahoo.com
Sun Oct 18 00:59:15 CEST 2015 

I have a strongSwan server that is using ECDSA-SHA384 server and client certificates that works great with Linux clients and the Android client, but I cannot get the client certificates to work in Windows 10/2012 and they throw the 13806 error when trying to connect. If I create RSA certificates with the exact same parameters being used for the ECDSA certificates then Windows will work fine with my strongSwan server. For example I generate the ECDSA key with "openssl ecparam -genkey -name secp384r1 -out WINCLIENT1.key"  but Windows will throw error 13806 when trying to connect, but If I use an RSA certificate generated with "openssl genrsa -out WINCLIENT1.key 2048" using the exact same parameters like the EKU, Key Usage, and SubjectAlternativeName, it will work fine with Windows.
I have posted the Client and Server certificates below.
Is there still an issue with ECDSA in Windows 10/2012 like there was back with Windows 7? Does anyone know what ECDSA settings are supported by Windows?
In the cert manager it shows the certs working fine and having a corresponding key. The only other thing I do is I package the key and cert from Linux into a .pfx file using "openssl pkcs12 -export -in WINCLIENT1.crt -inkey WINCLIENT1.key -out WINCLIENT1.pfx" but once again, an RSA cert works fine with this.
Also, I have tested this on both Windows 10 and Server 2012.


Client Certificate

Certificate:    Data:        Version: 3 (0x2)        Serial Number: 10171425542929775980 (0x8d2829a409a9fd6c)    Signature Algorithm: ecdsa-with-SHA384        Issuer: C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7        Validity            Not Before: Oct 17 04:33:30 2015 GMT            Not After : Oct 16 04:33:30 2016 GMT        Subject: C=US, ST=MD, L=SELF, OU=SS, CN=SS12 at homelab.com        Subject Public Key Info:            Public Key Algorithm: id-ecPublicKey                Public-Key: (384 bit)                pub:                    04:67:46:7c:2e:ab:6a:fb:a0:86:d4:d2:de:51:af:                    f0:1c:41:2e:30:ff:5e:88:e3:b1:e9:20:42:c7:dc:                    aa:8d:d3:8d:59:fa:1d:19:a8:31:78:c7:21:8e:2a:                    91:f1:c0:30:6f:32:6b:a7:b5:ee:f0:f8:65:1b:87:                    f1:08:f1:59:82:a3:74:43:c0:cc:9a:4f:13:f0:c4:                    2a:8f:97:c0:33:8c:53:18:0b:45:1f:f0:83:9b:35:                    b5:db:a0:79:ee:ce:28                ASN1 OID: secp384r1        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            X509v3 Key Usage:                Digital Signature, Non Repudiation, Key Encipherment            X509v3 Extended Key Usage:                1.3.6.1.5.5.8.2.2, TLS Web Client Authentication            X509v3 Subject Alternative Name:                DNS:SS12 at homelab.com    Signature Algorithm: ecdsa-with-SHA384         30:64:02:30:09:c7:ad:58:54:c1:b5:55:7e:12:9d:95:42:21:         9c:5f:30:0f:05:14:ef:49:1c:8b:cb:a9:a3:3f:98:38:44:06:         92:0f:42:2f:df:cb:f8:d5:71:d0:d1:4f:dc:2d:fa:be:02:30:         37:0f:99:4a:ce:31:a7:7d:62:8e:6f:36:f0:80:71:b1:45:55:         32:ed:50:e9:c9:e9:da:dd:33:65:de:ee:46:3d:9d:3f:56:a6:         d6:81:d5:26:33:82:06:35:c5:5e:c6:29


strongSwan/Server certificate

Certificate:    Data:        Version: 3 (0x2)        Serial Number: 10171425542929775982 (0x8d2829a409a9fd6e)    Signature Algorithm: ecdsa-with-SHA384        Issuer: C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7        Validity            Not Before: Oct 17 04:51:32 2015 GMT            Not After : Oct 16 04:51:32 2016 GMT        Subject: C=US, ST=MD, L=SELF, OU=SS, CN=192.168.1.7        Subject Public Key Info:            Public Key Algorithm: id-ecPublicKey                Public-Key: (384 bit)                pub:                    04:2e:ee:f7:4e:41:f7:61:a4:fc:ba:fb:9e:29:ce:                    62:70:87:4b:ed:1f:51:c7:ab:6c:91:91:68:05:4c:                    56:ff:70:69:9d:04:1a:bd:e1:c6:e3:16:a1:36:c1:                    f5:6f:be:d8:08:53:9a:74:9c:57:4f:be:df:58:b2:                    ab:5e:b2:9e:41:fc:23:ab:e2:26:42:1d:0f:f0:4d:                    86:ec:93:f2:10:16:11:33:ab:f0:7a:42:91:bb:c2:                    d2:a7:42:36:70:94:3f                ASN1 OID: secp384r1        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            X509v3 Key Usage:                Digital Signature, Non Repudiation, Key Encipherment            X509v3 Extended Key Usage:                1.3.6.1.5.5.8.2.2, TLS Web Server Authentication            X509v3 Subject Alternative Name:                IP Address:192.168.1.7    Signature Algorithm: ecdsa-with-SHA384         30:64:02:30:78:99:d6:44:4f:7a:c5:6a:63:8f:91:61:29:b3:         a1:66:97:75:fe:16:0c:67:f1:46:5f:c3:a5:6f:55:e5:98:09:         a5:d3:82:f1:81:33:32:d9:1a:5f:08:38:1c:09:6a:00:02:30:         6f:83:5b:8d:66:c5:b3:f8:91:97:fc:1b:0d:6f:8d:f8:13:eb:         56:83:83:5d:aa:78:35:d4:1c:80:5c:80:47:a0:3b:9b:bd:10:         3b:bd:ef:7d:32:a6:b6:a0:20:7e:02:99

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151017/0ad1fe74/attachment-0001.html>

More information about the Users mailing list