[Swan] Empty CERTREQ and Cisco interop failure
Paul Wouters
paul at nohats.ca
Sat Oct 12 20:44:59 EEST 2013
On Sat, 12 Oct 2013, Philippe Vouters wrote:
> Seen from the Cisco IOS router, Libreswan is missing to add the issuer information in the Certificate Request payload it sends to it. This
> missing information exactly translates into "issuer not specified in cert request" in the Cisco log and is the root cause for the fatal IOS
> FSM error.
Thanks. That is clear. With that knowledge I see:
http://www.vpnc.org/ietf-ipsec/03.ipsec/msg02383.html
which leads me to: http://tools.ietf.org/html/rfc4945#section-3.2
3.2.7.1. Specifying Certification Authorities
When requesting in-band exchange of keying materials, implementations
SHOULD generate CERTREQs for every peer trust anchor that local
policy explicitly deems trusted during a given exchange.
Implementations SHOULD populate the Certification Authority field
with the Subject field of the trust anchor, populated such that
binary comparison of the Subject and the Certification Authority will
succeed.
Upon receipt of a CERTREQ, implementations MUST respond by sending at
least the end-entity certificate corresponding to the Certification
Authority listed in the CERTREQ unless local security policy
configuration specifies that keying materials must be exchanged out-
of-band. Implementations MAY send certificates other than the end-
entity certificate (see Section 3.3 for discussion).
You observation seems to suggest we do not send our CA as a client
configured with a specific cert signed by a CA when initiating a
connection. That seems to be a bug (or feature if you read Section 5
of RFC 4945, in which case we could make this behaviour switchable by
introducing a new option.
Paul
More information about the Swan
mailing list