[strongSwan] How to retrieve remote certificates

John Brown jb20141125 at gmail.com
Thu Feb 16 09:25:51 CET 2017

Hi Tobias,
Sorry for delay, I didn't notice your message.

In the meantime my experiments has shown that the problem was not
associated with certificates at all. This message about bad signature was a
result of missing some strongswan basic plugins (so it was an unexpected
strongswan installation problem!), all the certificates involved in
authentication had valid signatures.

But extracting the certificates from log can be useful in future, I'm going
to try your advice. I'was trying "enc 4" before but could not find the
payload I was interested in - now if I know that they are in logs for sure,
I'm going to pay more attention during searching the logs.

Thank you for your help,
Best regards,

2017-01-25 11:31 GMT+01:00 Tobias Brunner <tobias at strongswan.org>:

> Hi John,
> > We have problems with certificate authentication and see "RSA signature
> > verification failed: Bad signature" during strongswan connection try. We
> > would like to retrieve all remote certificate chain to "manually" check
> > this issue. Is this possible using strongswan (for example by enabling
> > some debugs)?
> You could increase the log level to get the certificates sent by the
> peer.  But I'm not sure if that would help much.  When exactly does this
> happen?  When verifying a certificate?  When verifying the IKE
> authentication?  Do you use IKEv2 or IKEv1?  Do you have the correct
> root CA certificate installed?
> Anyway, if you want to extract the certificates from the log you may
> increase the log level for the enc subsystem to 3 [1].  You'll get lots
> of output that way, look for data logged for CERTIFICATE payloads
> (you'll also have to reconstruct the binary data from the hex output in
> the log).
> Regards,
> Tobias
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/
> LoggerConfiguration
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170216/56614e63/attachment.html>

More information about the Users mailing list