[strongSwan] How to retrieve remote certificates

Noel Kuntze noel at familie-kuntze.de
Thu Feb 16 21:59:26 CET 2017 

Hello John,

> In the meantime my experiments has shown that the problem was not associated with certificates at all. This message about bad signature was a result of missing some strongswan basic plugins (so it was an unexpected strongswan installation problem!), all the certificates involved in authentication had valid signatures.

I doubt that. What did you do to fix it?

On 16.02.2017 09:25, John Brown wrote:
> Hi Tobias,
> Sorry for delay, I didn't notice your message.
> 
> In the meantime my experiments has shown that the problem was not associated with certificates at all. This message about bad signature was a result of missing some strongswan basic plugins (so it was an unexpected strongswan installation problem!), all the certificates involved in authentication had valid signatures.
> 
> But extracting the certificates from log can be useful in future, I'm going to try your advice. I'was trying "enc 4" before but could not find the payload I was interested in - now if I know that they are in logs for sure, I'm going to pay more attention during searching the logs.
> 
> Thank you for your help,
> Best regards,
> John
> 
> 
> 2017-01-25 11:31 GMT+01:00 Tobias Brunner <tobias at strongswan.org <mailto:tobias at strongswan.org>>:
> 
>     Hi John,
> 
>     > We have problems with certificate authentication and see "RSA signature
>     > verification failed: Bad signature" during strongswan connection try. We
>     > would like to retrieve all remote certificate chain to "manually" check
>     > this issue. Is this possible using strongswan (for example by enabling
>     > some debugs)?
> 
>     You could increase the log level to get the certificates sent by the
>     peer.  But I'm not sure if that would help much.  When exactly does this
>     happen?  When verifying a certificate?  When verifying the IKE
>     authentication?  Do you use IKEv2 or IKEv1?  Do you have the correct
>     root CA certificate installed?
> 
>     Anyway, if you want to extract the certificates from the log you may
>     increase the log level for the enc subsystem to 3 [1].  You'll get lots
>     of output that way, look for data logged for CERTIFICATE payloads
>     (you'll also have to reconstruct the binary data from the hex output in
>     the log).
> 
>     Regards,
>     Tobias
> 
>     [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170216/a592c5a5/attachment.sig>

More information about the Users mailing list