[strongSwan] How to retrieve remote certificates

John Brown jb20141125 at gmail.com
Fri Apr 21 12:01:55 CEST 2017 

Hello Noel.
 The debian strongswan-standard-plugins package was missing (because of
some earlier upgrade issues), i've reinstalled it and this fixed the
problem.

2017-02-16 21:59 GMT+01:00 Noel Kuntze <noel at familie-kuntze.de>:

> Hello John,
>
> > In the meantime my experiments has shown that the problem was not
> associated with certificates at all. This message about bad signature was a
> result of missing some strongswan basic plugins (so it was an unexpected
> strongswan installation problem!), all the certificates involved in
> authentication had valid signatures.
>
> I doubt that. What did you do to fix it?
>
> On 16.02.2017 09:25, John Brown wrote:
> > Hi Tobias,
> > Sorry for delay, I didn't notice your message.
> >
> > In the meantime my experiments has shown that the problem was not
> associated with certificates at all. This message about bad signature was a
> result of missing some strongswan basic plugins (so it was an unexpected
> strongswan installation problem!), all the certificates involved in
> authentication had valid signatures.
> >
> > But extracting the certificates from log can be useful in future, I'm
> going to try your advice. I'was trying "enc 4" before but could not find
> the payload I was interested in - now if I know that they are in logs for
> sure, I'm going to pay more attention during searching the logs.
> >
> > Thank you for your help,
> > Best regards,
> > John
> >
> >
> > 2017-01-25 11:31 GMT+01:00 Tobias Brunner <tobias at strongswan.org
> <mailto:tobias at strongswan.org>>:
> >
> >     Hi John,
> >
> >     > We have problems with certificate authentication and see "RSA
> signature
> >     > verification failed: Bad signature" during strongswan connection
> try. We
> >     > would like to retrieve all remote certificate chain to "manually"
> check
> >     > this issue. Is this possible using strongswan (for example by
> enabling
> >     > some debugs)?
> >
> >     You could increase the log level to get the certificates sent by the
> >     peer.  But I'm not sure if that would help much.  When exactly does
> this
> >     happen?  When verifying a certificate?  When verifying the IKE
> >     authentication?  Do you use IKEv2 or IKEv1?  Do you have the correct
> >     root CA certificate installed?
> >
> >     Anyway, if you want to extract the certificates from the log you may
> >     increase the log level for the enc subsystem to 3 [1].  You'll get
> lots
> >     of output that way, look for data logged for CERTIFICATE payloads
> >     (you'll also have to reconstruct the binary data from the hex output
> in
> >     the log).
> >
> >     Regards,
> >     Tobias
> >
> >     [1] https://wiki.strongswan.org/projects/strongswan/wiki/
> LoggerConfiguration <https://wiki.strongswan.org/projects/strongswan/wiki/
> LoggerConfiguration>
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170421/69849032/attachment.html>

More information about the Users mailing list