[strongSwan] TLS handshake negotiation fail

Noel Kuntze noel at familie-kuntze.de
Thu Feb 25 16:38:02 CET 2016 

Hello Yukou,

> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)
>> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'
What does your config look like? Obviously, the RADIUS server only authenticates itself, not the authenticator.

>I installed certification of the server:
>ipsec.d/certs/
Where is that exactly? Are you aware that the location of ipsec.d changes, depending on the compile time
sysconfdir and prefix settings?

> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.
Make sure you understand where charon things ipsec.d is actually.



On 25.02.2016 08:51, yukou katori wrote:
> Hi,
>
> I'm setting up EAP-TTLS-Radius client on StrongSwan5.3.5.
>
> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)
>
> I got the following error when the Client tries to connect.
> > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'
>
> I installed certification of the server:
> ipsec.d/certs/
>
> /usr/local/etc/ipsec.d# ls certs/
> server.pem
>
> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.
>
> Is it wrong about the way to store certificate?
> Or another reason? (e.g. plugin is not enough)
>
> Regards,
>
> Log:
> Feb 25 14:41:13 tester charon: 05[TLS] negotiated TLS 1.0 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> Feb 25 14:41:13 tester charon: 05[TLS] processing TLS Handshake record (708 bytes)
> Feb 25 14:41:13 tester charon: 05[TLS] received TLS Certificate handshake (704 bytes)
> Feb 25 14:41:13 tester charon: 05[LIB] signature verification:
> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=ES, O=ACCV, CN=ACCVRAIZ1'
> Feb 25 14:41:13 tester charon: 05[TLS] buffering 254 bytes, 254 bytes of 530 byte TLS record received
> Feb 25 14:41:13 tester charon: 05[TLS] sending fatal TLS alert 'access denied'


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160225/e8286e3c/attachment.pgp>

More information about the Users mailing list