[strongSwan] New Android update option - how to best exploit?

Karl Denninger karl at denninger.net
Wed Jul 5 16:34:45 CEST 2017


On 7/5/2017 09:25, Tobias Brunner wrote:
> Hi Karl,
>
>> BTW is the OCSP check failure due to lack of "curl" support in the
>> Android client?
> No, it's because the revocation plugin can't build an OCSP request (only
> the x509 plugin can do so but on Android we use the openssl plugin to
> parse certificates so that plugin isnt' enabled).  I guess we could just
> disable OCSP verification in the revocation plugin until that's supported.
The inability to use OCSP is actually sort of a problem for those of us
who are actively using OCSP for its intended purpose in that a revoked
cert will still be accepted.... :-)  I will have to be more diligent
with CRL generation (I've slacked on that here since I got an OCSP
responder working well)
>> In any event the failure there appears to be wrong as the "CN" has to be
>> set differently to the RSA's CN or the cert won't certify by the CA (due
>> to being a duplicate); the SAN DNS field IS correct (genesis.denninger.net)
>>
>>             X509v3 Subject Alternative Name:
>>                 email:postmaster at denninger.net, DNS:genesis.denninger.net
>>             X509v3 Extended Key Usage:
>>                 TLS Web Server Authentication
> Have you set a server identity in the VPN profile?  Could you send me
> the cert so I can have a look at it?
>
>> I will try it with the RSA certificate:
>>
>> Uh, nope.  Same problem with the same log entry from the client.
> Did that work before?  Does it work if you select the CA certificate
> instead of the server certificate in the profile?
>
> Regards,
> Tobias
Yes.  If the frag-eating monster does not get me BOTH certificates work
(when sent from the server with the switch turned on.)  I recently
regenerated the RSA one in an attempt to kill the frag issue (it was a
4k RSA cert, is now a 2k RSA cert)

I'll email you privately with the two certificate files as attachments.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170705/743dce18/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170705/743dce18/attachment.bin>


More information about the Users mailing list