[Swan] OSX - SAN not matched, but debug shows a match - figured
Computerisms Corporation
bob at computerisms.ca
Fri Mar 27 17:40:42 UTC 2020
k, so on my working example, in the LocalIdentifier in mobileconfig, I
have the firewall's DNS name. working with 3 macs.
on this one, I had to change the LocalIdentifier to match the CN in the
user's certificate. working now, at least for one Mac.
On 2020-03-27 12:00 a.m., Computerisms Corporation wrote:
> so I can't permanently upgrade to 3.31 because I have too many windows
> machines that use this connection and it isn't feasible to work around
> the modp1024 thing. But for grins and giggles, I upgraded anyway just
> to see if it would work. Log entries were slightly different, but
> essentially the same.
>
> Back on 3.29 now. Completely out of ideas, would be grateful for any
> suggestions...
>
> On 2020-03-26 11:35 p.m., Computerisms Corporation wrote:
>> k, so I did have an epiphany; didn't help me solve the problem, but I
>> had one. Occurs I never checked the debug logs:
>>
>> Mar 26 22:55:53 doorlian pluto[22028]: | required RSA CA is 'C=CA,
>> ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN Certificate
>> Authority'
>> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid
>> '@gatelian.computerisms.ca' for match with '@firewall.ctfn.ca'
>> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid 'C=CA,
>> ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=Ryan' for match
>> with '@firewall.ctfn.ca'
>> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid
>> 'ryan at ctfn.ca' for match with '@firewall.ctfn.ca'
>>
>> ^^This is the cert on the mac
>>
>>
>> Mar 26 22:55:53 doorlian pluto[22028]: | checking RSA keyid
>> '@firewall.ctfn.ca' for match with '@firewall.ctfn.ca'
>>
>> ^^Looks like a match to me???
>>
>>
>> Mar 26 22:55:53 doorlian pluto[22028]: | trusted_ca_nss: trustee A =
>> 'C=CA, ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN
>> Certificate Authority'
>> Mar 26 22:55:53 doorlian pluto[22028]: | trusted_ca_nss: trustor B =
>> 'C=CA, ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN
>> Certificate Authority'
>> Mar 26 22:55:53 doorlian pluto[22028]: | key issuer CA is 'C=CA,
>> ST=Yukon, O=Carcross//Tagish First Nations, OU=IT, CN=CTFN Certificate
>> Authority'
>> Mar 26 22:55:53 doorlian pluto[22028]: | #10 spent 1.21
>> milliseconds in try_all_RSA_keys() trying a pubkey
>>
>>
>> From here it checks the other certs in the NSS database for a few
>> lines, and then it gives this:
>>
>> Mar 26 22:55:53 doorlian pluto[22028]: "rw-ikev2"[1] 205.234.49.246
>> #10: Signature check (on @firewall.ctfn.ca) failed (wrong key?); tried
>> *AwEAAggUh
>> Mar 26 22:55:53 doorlian pluto[22028]: | public key for
>> @firewall.ctfn.ca failed: decrypted SIG payload into a malformed ECB
>> (3NSS error: Not able to decrypt)
>> Mar 26 22:55:53 doorlian pluto[22028]: | #10 spent 1.52
>> milliseconds in ikev2_verify_rsa_hash()
>>
>> So how can it be successfully decrypting the key when Windows
>> connects, but not when OSX connects?
>>
>> ipsec auto --listall shows firewall.ctfn.ca as a public key and an
>> x.509 cert with a private key.
>>
>>
>>
>>
>>
>>
>> On 2020-03-26 10:51 p.m., Computerisms Corporation wrote:
>>> Hi Gurus,
>>>
>>> I have been spinning my wheels on all day, maybe by sending this to
>>> the list I will get an epiphany, or if not hopefully someone has some
>>> input.
>>>
>>> have a firewall running v3.29, windows clients are connecting fine,
>>> generated mobileconfigs are installing on the OSX clients and appear
>>> to have all the correct details. But when I connect with OSX (tested
>>> on multiple machines using multiple mobileconfigs), the logs tell me
>>> the cert has no matching SAN:
>>>
>>>
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: No matching subjectAltName found for 'firewall.ctfn.ca'
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: certificate does not contain subjectAltName=firewall.ctfn.ca
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: Peer public key SubjectAltName does not match peer ID for this
>>> connection
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: IKEv2 mode peer ID is ID_FQDN: '@firewall.ctfn.ca'
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: Signature check (on @firewall.ctfn.ca) failed (wrong key?);
>>> tried *AwEAAbtUh
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: RSA authentication of I2 Auth Payload failed
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: responding to IKE_AUTH message (ID 1) from 205.234.49.246:4500
>>> with encrypted notification AUTHENTICATION_FAILED
>>> Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
>>> #720: deleting state (STATE_PARENT_R1) aged 0.171s and NOT sending
>>> notification
>>>
>>> I am not really clear which cert it is talking about, I would expect
>>> it to be logging info about the cert on OSX, but the cert name is
>>> appropriate for the firewall, and it does have a matching SAN:
>>>
>>> certutil -L -n firewall.ctfn.ca -d sql:/etc/ipsec.d
>>> <snip>
>>> Name: Certificate Subject Alt Name
>>> DNS name: "firewall.ctfn.ca"
>>>
>>> Name: Certificate Key Usage
>>> Usages: Digital Signature
>>> Non-Repudiation
>>> Key Encipherment
>>>
>>> Name: Extended Key Usage
>>> TLS Web Server Authentication Certificate
>>> </snip>
>>>
>>> and I am reasonably certain I am using the correct settings in the conn:
>>> <snip>
>>> left=firewall.ctfn.ca
>>> leftsubnet=0.0.0.0/0
>>> leftcert=firewall.ctfn.ca
>>> leftid=@firewall.ctfn.ca
>>> leftrsasigkey=%cert
>>> leftsendcert=always
>>> right=%any
>>> rightca=%same
>>> rightrsasigkey=%cert
>>> rightid=%fromcert
>>> </snip>
>>>
>>> On another firewall also running 3.29, I have OSX and windows clients
>>> connecting fine; I have carefully compared all the configs and
>>> certificates and the details seem to be consistent. Clearly I have
>>> overlooked something, wondering if anyone has an idea what it is?
>>>
>>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list