[Swan] Question/troubleshooting x509 w/ intermediate & root CA

[Bryan Harris]

Hi Paul,

Welp, I got to playing around with the old certs that were working, and I
somehow broke them.  Then I went back through everything and noticed I had
to change the trust bits.

So these trust bits work:

"CT,,"

These also work:

"CTu,CTu,CTu"

But of course if I manually set trust bits to ",," on the CA then the
tunnel breaks.

And I can't recall where I found the documentation for these, but I had
read it at some point.  But the NEW certs import properly in the first
place, so there is not a need (I thought) to set any trust bits (the new
ones look like "CT,," so I left it alone).

One other funny thing is that even though the tunnel works using the old
certs with the proper trust bits, when I do a "ipsec auto --listall" each
server still only shows its own cert in that top list for "List of RSA
Public Keys".  But the tunnel comes up.  There was an old thread on this
list where I thought it was implied that both certs need to show up in that
top list, but I could be wrong about that.

I'm going to revert back to using the new certs and turn on the x509
debugging and respond again with how it goes.

V/r,
Bryan


On Fri, Sep 23, 2016 at 12:26 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 23 Sep 2016, Bryan Harris wrote:
>
> And I notice when I go back to my old certs that were working, I can see
>> the RSA public key in the ipsec auto --listall output.  I
>> wonder, if anyone knows, why does the cert not come across the line when
>> I'm using the new configuration?  If I look at the logs, I
>> see that it doesn't work, but I don't understand why.
>>
>
> you can try running with plutodebug=x509 enabled
> (or run ipsec whack --debug-x509 before trying to
> bring up the connection)
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160923/816371f5/attachment.html>