[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames
Tony Whyman
tony.whyman at mccallumwhyman.com
Tue Sep 8 09:30:09 UTC 2015
I ask the question because what did work with earlier versions has
stopped working. i.e. bothj cert import and SA authentication fail.
For example, installing a clean version of libreswan 1.15 using a .deb
file on Ubuntu 14.04 64-bit:
Run ipsec import to set up the certs from a .p12 file
This fails with
ipsec import rebecca.mwassocs.co.uk.p12
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
certutil: Could not find cert: MWA Root CA
: PR_FILE_NOT_FOUND_ERROR: File not found
If I then explicitly list the NSS store, I get
certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
rebecca.mwassocs.co.uk u,u,u
MWA Root CA ,,
I can then do
certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is invalid: Peer's certificate issuer has been
marked as not trusted by the user.
rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is valid
So the NSS store seems happy.
However, when I try to start an SA with "rebecca" as the responder, the
initiator fails with INVALID_ID_INFORMATION. Running "rebecca" under
debug all gets:
Sep 8 10:17:09 rebecca pluto[12733]: | refine_host_connection: checking
mwa[1] 172.16.1.16 against mwa[1] 172.16.1.16, best=(none) with
match=0(id=1/ca=0/reqca=1)
Sep 8 10:17:09 rebecca pluto[12733]: | find_host_pair: comparing
172.16.1.62:500 to 0.0.0.0:500
Sep 8 10:17:09 rebecca pluto[12733]: | find_host_pair_conn
(refine_host_connection): 172.16.1.62:500 %any:500 -> hp:mwa
Sep 8 10:17:09 rebecca pluto[12733]: | match_id a=C=GB, ST=blah,
L=blah, O=MWA, OU=Workstation, CN=zeus.mwassocs.co.uk
Sep 8 10:17:09 rebecca pluto[12733]: | b=C=GB, ST=blah,
L=blah, O=MWA, OU=Workstation, CN=zeus.mwassocs.co.uk
Sep 8 10:17:09 rebecca pluto[12733]: | results matched
Sep 8 10:17:09 rebecca pluto[12733]: | trusted_ca_nss called with
a=(empty) b=C=GB, ST=blah, L=blah, O=MWA, OU=Certification Services
Division, CN=MWA Root CA
Sep 8 10:17:09 rebecca pluto[12733]: | trusted_ca_nss called with
a=C=GB, ST=blah, L=blah, O=MWA, OU=Certification Services Division,
CN=MWA Root CA b=C=GB, ST=blah, L=blah, O=MWA, OU=Certification Services
Division, CN=MWA Root CA
Sep 8 10:17:09 rebecca pluto[12733]: message repeated 3 times: [ |
trusted_ca_nss called with a=C=GB, ST=blah, L=blah, O=MWA,
OU=Certification Services Division, CN=MWA Root CA b=C=GB, ST=blah,
L=blah, O=MWA, OU=Certification Services Division, CN=MWA Root CA]
Sep 8 10:17:09 rebecca pluto[12733]: | refine_host_connection: checking
mwa[1] 172.16.1.16 against mwa, best=(none) with match=0(id=1/ca=0/reqca=1)
Sep 8 10:17:09 rebecca pluto[12733]: "mwa"[1] 172.16.1.16 #3:
EXPECTATION FAILED at /tmp/libreswan-3.15/programs/pluto/ikev1.c:2843: r
!= NULL
This looks to me like it's failing when it comes to validating the
certificate CA signature.
"rebecca" is a test system that I use to test the VPN and the same
setup, certificates and all worked fine with 1.13, so this looks like a
regression.
Comparing the 1.13 and 1.15 versions of ipsec import, reveals a lot of
changes...
Tony Whyman
MWA
More information about the Swan
mailing list