[strongSwan] Strongswan client: no trusted RSA public key found, sometimes
grossjo2 at hotmail.com
Tue Dec 20 18:07:41 CET 2016
I'm running strongswan 5.5.1 on Ubuntu 12.04.
We are using IKEv1 and XAuth-Pam . I've posted our ipsec.conf at the bottom of this message.
We are seeing an issue where after a some amount of time running,
eventually our client starts to see this error every time it tries to connect:
Dec 19 18:40:52 hostname charon: 15[IKE] signature validation failed, looking for another key
Dec 19 18:40:52 hostname charon: 15[IKE] no trusted RSA public key found for "Cert Subject Removed"
Now if I restart strongswan, or even try the stroke command 'ipsec rereadall'. Suddenly
connections start working.
I've rebuilt strongswan with extra logging around where this error occurs and I found
that it is failing inside of this method:
openssl_rsa_public_key.c method: verify_emsa_pkcs1_signature
when it tries to call "RSA_public_decrypt".
I took this even further and dumped the openssl error:
error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
It seems that the server may be returning an invalid signature or public key.
Any ideas on how to handle this. I'm more than willing to add more logging, but I've been unable
to figure out how to get any of the inputs into this method:
len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa,
to dump anything that is human comparable between requests.
charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1"
# Require all subject fields to be matched by star
# As well as CA's pull in
rightid="C=*, ST=*, L=*, O=*, CN=*, E=*"
Joshua J. Gross
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users