[Swan] OSX - SAN not matched, but debug shows a match
Computerisms Corporation
bob at computerisms.ca
Fri Mar 27 07:00:32 UTC 2020
so I can't permanently upgrade to 3.31 because I have too many windows
machines that use this connection and it isn't feasible to work around
the modp1024 thing. But for grins and giggles, I upgraded anyway just
to see if it would work. Log entries were slightly different, but
essentially the same.
Back on 3.29 now. Completely out of ideas, would be grateful for any
suggestions...
On 2020-03-26 11:35 p.m., Computerisms Corporation wrote:
> k, so I did have an epiphany; didn't help me solve the problem, but I
> had one. Occurs I never checked the debug logs:
>
> Mar 26 22:55:53 doorlian pluto[22028]: | required RSA CA is 'C=CA,
> ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN Certificate
> Authority'
> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid
> '@gatelian.computerisms.ca' for match with '@firewall.ctfn.ca'
> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid 'C=CA,
> ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=Ryan' for match
> with '@firewall.ctfn.ca'
> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid
> 'ryan at ctfn.ca' for match with '@firewall.ctfn.ca'
>
> ^^This is the cert on the mac
>
>
> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid
> '@firewall.ctfn.ca' for match with '@firewall.ctfn.ca'
>
> ^^Looks like a match to me???
>
>
> Mar 26 22:55:53 doorlian pluto[22028]: | trusted_ca_nss: trustee A =
> 'C=CA, ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN
> Certificate Authority'
> Mar 26 22:55:53 doorlian pluto[22028]: | trusted_ca_nss: trustor B =
> 'C=CA, ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN
> Certificate Authority'
> Mar 26 22:55:53 doorlian pluto[22028]: | key issuer CA is 'C=CA,
> ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN Certificate
> Authority'
> Mar 26 22:55:53 doorlian pluto[22028]: | #10 spent 1.21
> milliseconds in try_all_RSA_keys() trying a pubkey
>
>
> From here it checks the other certs in the NSS database for a few
> lines, and then it gives this:
>
> Mar 26 22:55:53 doorlian pluto[22028]: "rw-ikev2"[1] 205.234.49.246 #10:
> Signature check (on @firewall.ctfn.ca) failed (wrong key?); tried
> *AwEAAggUh
> Mar 26 22:55:53 doorlian pluto[22028]: | public key for
> @firewall.ctfn.ca failed: decrypted SIG payload into a malformed ECB
> (3NSS error: Not able to decrypt)
> Mar 26 22:55:53 doorlian pluto[22028]: | #10 spent 1.52 milliseconds
> in ikev2_verify_rsa_hash()
>
> So how can it be successfully decrypting the key when Windows connects,
> but not when OSX connects?
>
> ipsec auto --listall shows firewall.ctfn.ca as a public key and an x.509
> cert with a private key.
>
>
>
>
>
>
> On 2020-03-26 10:51 p.m., Computerisms Corporation wrote:
>> Hi Gurus,
>>
>> I have been spinning my wheels on all day, maybe by sending this to
>> the list I will get an epiphany, or if not hopefully someone has some
>> input.
>>
>> have a firewall running v3.29, windows clients are connecting fine,
>> generated mobileconfigs are installing on the OSX clients and appear
>> to have all the correct details. But when I connect with OSX (tested
>> on multiple machines using multiple mobileconfigs), the logs tell me
>> the cert has no matching SAN:
>>
>>
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: No matching subjectAltName found for 'firewall.ctfn.ca'
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: certificate does not contain subjectAltName=firewall.ctfn.ca
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: Peer public key SubjectAltName does not match peer ID for this
>> connection
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: IKEv2 mode peer ID is ID_FQDN: '@firewall.ctfn.ca'
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: Signature check (on @firewall.ctfn.ca) failed (wrong key?);
>> tried *AwEAAbtUh
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: RSA authentication of I2 Auth Payload failed
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: responding to IKE_AUTH message (ID 1) from 205.234.49.246:4500
>> with encrypted notification AUTHENTICATION_FAILED
>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>> #720: deleting state (STATE_PARENT_R1) aged 0.171s and NOT sending
>> notification
>>
>> I am not really clear which cert it is talking about, I would expect
>> it to be logging info about the cert on OSX, but the cert name is
>> appropriate for the firewall, and it does have a matching SAN:
>>
>> certutil -L -n firewall.ctfn.ca -d sql:/etc/ipsec.d
>> <snip>
>> Name: Certificate Subject Alt Name
>> DNS name: "firewall.ctfn.ca"
>>
>> Name: Certificate Key Usage
>> Usages: Digital Signature
>> Non-Repudiation
>> Key Encipherment
>>
>> Name: Extended Key Usage
>> TLS Web Server Authentication Certificate
>> </snip>
>>
>> and I am reasonably certain I am using the correct settings in the conn:
>> <snip>
>> left=firewall.ctfn.ca
>> leftsubnet=0.0.0.0/0
>> leftcert=firewall.ctfn.ca
>> leftid=@firewall.ctfn.ca
>> leftrsasigkey=%cert
>> leftsendcert=always
>> right=%any
>> rightca=%same
>> rightrsasigkey=%cert
>> rightid=%fromcert
>> </snip>
>>
>> On another firewall also running 3.29, I have OSX and windows clients
>> connecting fine; I have carefully compared all the configs and
>> certificates and the details seem to be consistent. Clearly I have
>> overlooked something, wondering if anyone has an idea what it is?
>>
>>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list