[strongSwan] TLS handshake negotiation fail

yukou katori k10lie.tech at yahoo.co.uk
Sun Feb 28 21:03:56 CET 2016


        rightid=Radius-1_Svr at test <<<        aaa_identity="C=JP, O=XXX, CN=Radius-1_svr at test" 
I'm fishing in the dark but I tried setting the same name of the server's certificate.But I got the same error "access denied".
My parameters are wrong?# StrongSwan5.3.5
Regards,

   

 On Monday, 29 February 2016, 4:56, yukou katori <k10lie.tech at yahoo.co.uk> wrote:
 

 Thanks, Noel.
> 'C=ES, O=ACCV, CN=ACCVRAIZ1'Now I set as follows "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA at test" on CA. "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_Svr at test" issued by on the CA. #self-signed certificate
And I set as follows on StrongSwan:# eap-ttls-radius configuration        rightid=Radius-1 at test        aaa_identity="C=JP, O=XXX, CN=Radius-1_svr at test"
Regards, 

    On Monday, 29 February 2016, 4:44, Noel Kuntze <noel at familie-kuntze.de> wrote:
 

 Now you're just fishing in the dark and guessing.
The format of the certificate is irrelevant. Read the log you pasted and fix the

> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=ES, O=ACCV, CN=ACCVRAIZ1'
I guess that's from the client. Where did you set that DN?

Regards,
Noel

On 28.02.2016 20:37, yukou katori wrote:
> Hi, Noel
>
> Or this "access denied" can come from pkcs format?
> pkcs#7 is used in this case, pkcs#12 should be used?
>
> Regards,
>
>
> On Sunday, 28 February 2016, 15:20, yukou katori <k10lie.tech at yahoo.co.uk> wrote:
>
>
> Hi, Noel
>
> Thanks.
> I complied again to isolate this problem.
> The reason why no item about certificates was shown by "ipsec listall" came from that I imported incorrect certificate from FreeRadius.
> Now I could get the item about CA by "ipsec install".
>
> But I get the same error yet.
>
> What does "access denied" mean?
> This is for TLS 1.2 but, it means:
>    access_denied
>      A valid certificate was received, but when access control was
>      applied, the sender decided not to proceed with negotiation.  This
>      message is always fatal.
>    from rfc5246
>
> Access control?
>
> I complied like this:
> ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --enable-eap-identity --enable-eap-tls --enable-eap-peap --enable-eap-ttls --enable-eap-mschapv2 --enable-eap-md5
>
> Regards,
>



-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658



   
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160228/7649a434/attachment-0001.html>


More information about the Users mailing list