[Swan] [EXTERNAL] Re: AW: INVALID_ID_INFORMATION

LAURIA Giuseppe giuseppe.lauria at axa-winterthur.ch
Fri Mar 8 16:15:58 UTC 2019 

Hi Paul.




>>The other end's CERT payload did not contain an EE certificate? Looks like they are sending a bad certificate chain.

But when I look into the other servers database it looks like to be "good":


On the right server:
[root at lxfapp31 ipsec.d]# certutil -d sql:. -V -n ivoryserver -u C
certutil: certificate is valid

[root at lxfapp31 ipsec.d]# certutil -d sql:. -O -n ivoryserver
"AXA-Enterprise-Root-CA" [C=FR,CN=AXA-Enterprise-Root-CA,O=GIE AXA]

  "AXA-Issuing-CA-PR1 - GIE AXA" [C=FR,CN=AXA-Issuing-CA-PR1,O=GIE AXA]

    "ivoryserver" [CN=ivorylbmaint.dev.axa-ch.intraxa,OU=applid:COM-728,OU=appl:ivory,OU=pltStage:dev,OU=tenantStage:maint,OU=axans:ch-ivory,O=axa-tech-ch,C=CH]

[root at lxfapp31 ipsec.d]#




>>>>>>Looks like you either hardcoded the certificate using rightcert= or you used a rightrsasigkey= ?

Yes:
In the right server it is defined:
         rightcert="ivoryserver"

In the left server it is named:
         rightcert="lxfapp31.dev.axa-ch.intraxa" ( see below ) should I avoid this ? Did I define too many attributes ? In older vesion it worked.


>>>>>The newer code uses NSS instead of custom X509 validation code. NSS is more secure, and likely more strict. Perhaps you had the cert hardcoded and the CERT payload wasn't used before? And now we reject the hardcoded certificate because we are more strict on the CERT payload (even if we don't need the CERT payload due to hardcoded cert/pubkey ?)

>>>>>That's a theory anyway.

Do not understand where I can fix something here.



>>>>>>>>>>>The other end should send its EE-cert as CERT payload. It may send intermediate CA's as well (and we support receiving those as proper CERT payloads or the broken microsoft pkcs#7 formatted ones).


How can I do this ? ( I'm the other side also here in this case )




Certificate Left server in db:

[root at DDAA2053 ipsec.d]# certutil -d sql:. -V -n ivorycloudmaint1.dev.axa-ch.intraxa -u C
certutil: certificate is valid
[root at DDAA2053 ipsec.d]# certutil -d sql:. -O -n ivorycloudmaint1.dev.axa-ch.intraxa
"C=FR,CN=AXA-Enterprise-Root-CA,O=GIE AXA" [C=FR,CN=AXA-Enterprise-Root-CA,O=GIE AXA]

  "C=FR,CN=AXA-Issuing-CA-PR1,O=GIE AXA" [C=FR,CN=AXA-Issuing-CA-PR1,O=GIE AXA]

    "ivorycloudmaint1.dev.axa-ch.intraxa" [CN=ivorycloudmaint1.dev.axa-ch.intraxa,OU=applid:COM-728,OU=appl:ivory,OU=tenantStage:maint,OU=axans:ch-ivory,O=axa-ch,C=CH]

[root at DDAA2053 ipsec.d]#




Certificate Right server in db:

[root at DDAA2053 ipsec.d]# certutil -d sql:. -V -n lxfapp31.dev.axa-ch.intraxa -e -u C
certutil: certificate is valid
[root at DDAA2053 ipsec.d]# certutil -d sql:. -O -n lxfapp31.dev.axa-ch.intraxa
"C=FR,CN=AXA-Enterprise-Root-CA,O=GIE AXA" [C=FR,CN=AXA-Enterprise-Root-CA,O=GIE AXA]

  "C=FR,CN=AXA-Issuing-CA-PR1,O=GIE AXA" [C=FR,CN=AXA-Issuing-CA-PR1,O=GIE AXA]

    "lxfapp31.dev.axa-ch.intraxa" [CN=ivorylbmaint.dev.axa-ch.intraxa,OU=applid:COM-728,OU=appl:ivory,OU=pltStage:dev,OU=tenantStage:maint,OU=axans:ch-ivory,O=axa-tech-ch,C=CH]

[root at DDAA2053 ipsec.d]#




I have defined :
In left server:
conn cloud_core_tunnel
        left=ivorycloudmaint1.dev.axa-ch.intraxa
        leftid=%fromcert
        leftcert="ivorycloudmaint1.dev.axa-ch.intraxa"
        leftrsasigkey=%cert
        leftsendcert=always
        right=lxfapp31.dev.axa-ch.intraxa
#        rightid="CN=lxfapp31.dev.axa-ch.intraxa,OU=applid:COM-728,OU=appl:ivory,OU=pltStage:dev,OU=tenantStage:maint,OU=axans:ch-ivory,O=axa-tech-ch,C=CH"
#        rightid="CN=ivorylbmaint.dev.axa-ch.intraxa,OU=applid:COM-728,OU=appl:ivory,OU=pltStage:dev,OU=tenantStage:maint,OU=axans:ch-ivory,O=axa-tech-ch,C=CH"
        rightid=%fromcert
        rightcert="lxfapp31.dev.axa-ch.intraxa"
        rightprotoport=tcp/8080
        rightrsasigkey=%cert
        #auto=start
        authby=rsasig
        type=transport
        ike=aes256-sha2-modp2048
        phase2=esp
        phase2alg=aes_gcm-null
        salifetime=240m
        fragmentation=yes



In right server:

conn cloud_core_tunnel
#        left=ddaa2053.ppprivmgmt.intraxa
        left=ivorycloudmaint1.dev.axa-ch.intraxa
#        leftid="CN=ivorycloudmaint1.dev.axa-ch.intraxa"
        leftid=%fromcert
        leftcert="ddaa2053.ppprivmgmt.intraxa"
        leftrsasigkey=%cert
        leftsendcert=always
        right=lxfapp31.dev.axa-ch.intraxa
#        right=ivorylbmaint.dev.axa-ch.intraxa
        rightcert="ivoryserver"
        rightprotoport=tcp/8080
        rightrsasigkey=%cert

        #auto=start
        authby=rsasig
        type=transport
        ike=aes256-sha2-modp2048
        phase2=esp
        phase2alg=aes_gcm-null
        salifetime=240m
        fragmentation=yes

Still I get 

104 "cloud_core_tunnel" #9: STATE_MAIN_I1: initiate
106 "cloud_core_tunnel" #9: STATE_MAIN_I2: sent MI2, expecting MR2
002 "cloud_core_tunnel" #9: I am sending my cert
002 "cloud_core_tunnel" #9: I am sending a certificate request
108 "cloud_core_tunnel" #9: STATE_MAIN_I3: sent MI3, expecting MR3
002 "cloud_core_tunnel" #9: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=axa-tech-ch, OU=axans:ch-ivory, OU=tenantStage:maint, OU=pltStage:dev, OU=appl:ivory, OU=applid:COM-728, CN=ivorylbmaint.dev.axa-ch.intraxa'
002 "cloud_core_tunnel" #9: X509: no EE-cert in chain!
002 "cloud_core_tunnel" #9: X509: Certificate rejected for this connection
002 "cloud_core_tunnel" #9: X509: CERT payload bogus or revoked
218 "cloud_core_tunnel" #9: STATE_MAIN_I3: INVALID_ID_INFORMATION
002 "cloud_core_tunnel" #9: sending encrypted notification INVALID_ID_INFORMATION to 10.152.119.60:500



Is it the certificate configured in the conf file wrong or the certificate sent on the wire wrong ? Over which one is it complaining ?

Are there more tools to verify/troubleshoot cert is ok or not ok ? on both ends ?


Thank you very much.
Best.
Giuseppe

More information about the Swan mailing list