[Swan] IKE failure/Issue with Subject Alternative Name
Mayur Nakade
Mayur.Nakade at radisys.com
Fri Oct 13 14:02:24 EEST 2023
Hi Paul,
As asked please find attachment having the output of the command you asked to run, to check certificate content.
Thanks in advance,
Mayur
________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: 12 October 2023 21:56
To: Mayur Nakade <Mayur.Nakade at radisys.com>
Cc: swan at lists.libreswan.org <swan at lists.libreswan.org>
Subject: Re: [Swan] IKE failure/Issue with Subject Alternative Name
The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
On Thu, 12 Oct 2023, Paul Wouters wrote:
> It does strongly suggest you do not have a subjectAltName extension, and
> trusting CN= is no longer considered secure.
I should clarify this:
https://datatracker.ietf.org/doc/html/rfc2818#section-3.1
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
Mostly because of the WebPKI, and things like ACME that can authenticate
a DNS name or IP in a subjectAltName, but not the random data within a
CN=.
Also because of multiple SAN entries, the CN= is kind of losing its meaning.
In the context of enduser certificates, it is obviously still very valid
and also secure. Sorry for the confusion.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20231013/eaa75caf/attachment.htm>
-------------- next part --------------
HostB certificate as below
-bash-4.2# openssl x509 -in hostB.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:1e:9d:b6:b6:33:38:0b:c2:6d:d7:0a:90:fd:e1:0f:46:06:38:40
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = ca.cert.com
Validity
Not Before: Oct 11 11:39:41 2023 GMT
Not After : Oct 10 11:39:41 2024 GMT
Subject: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = hostB.cert.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d5:e3:fa:19:a1:cc:8f:22:57:6d:fa:2e:8c:51:
12:ea:a4:e5:c4:af:8f:12:3d:97:98:6d:a4:01:a1:
94:3a:5e:1e:8a:2c:78:1a:09:e4:02:6b:a1:26:f6:
6c:47:13:6a:2e:ef:55:db:3b:89:10:72:a5:da:38:
45:ad:d3:ba:c9:72:4c:22:8f:a1:12:b0:23:ff:a3:
55:99:c8:b9:7d:bb:12:c8:57:91:8f:f3:40:ec:4f:
71:83:20:fa:e9:ba:9f:2e:5e:25:b9:9e:07:61:ac:
de:30:81:ad:4a:fc:f0:67:af:c6:b3:8b:00:79:f9:
3c:57:b3:4b:6a:d2:31:74:7e:df:ec:9b:32:35:b8:
99:76:c5:9d:71:c7:b9:84:43:e4:40:1a:33:27:0f:
c2:e2:9a:5a:f1:9c:28:31:2b:37:66:bd:b5:d5:fa:
91:cb:c6:8f:bd:fe:31:3b:43:19:87:d9:b1:43:9b:
61:f4:7f:0d:d7:f9:d2:67:36:bf:4a:0c:e3:59:96:
58:73:87:8e:0d:6c:e8:48:95:fe:39:7f:ae:7d:3a:
f2:c6:55:15:61:52:e5:d5:ed:ed:3c:4a:a5:cd:d3:
dc:8a:92:c1:07:6f:fe:db:ae:21:82:ec:e8:51:33:
4d:97:6d:1d:2f:dd:f4:fa:6f:8a:91:dc:21:66:a2:
8f:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:hostB.cert.com, DNS:www.hostB.cert.com, IP Address:10.20.20.3
Signature Algorithm: sha256WithRSAEncryption
97:4d:b9:0d:61:aa:94:c9:ba:38:0f:ad:62:93:2e:30:ee:83:
f6:bd:f6:6c:90:f0:df:f9:6e:c1:78:a3:55:ad:0f:d8:26:6a:
e0:09:ab:f7:3a:ab:7f:06:58:16:a8:5a:8a:48:14:9b:0e:4c:
6a:e9:82:86:05:ee:73:9f:e9:ef:40:93:e6:93:67:92:53:49:
0a:89:fc:0d:6f:06:61:17:29:5b:53:12:ab:aa:47:6e:3e:20:
23:0c:dc:e0:84:cf:e8:0a:3b:60:a4:73:a4:21:50:a9:f5:3e:
dd:70:8a:a0:12:6d:94:da:3c:dc:8f:8f:fc:54:ae:ce:ee:98:
c6:54:8a:21:8e:43:b8:8c:bc:ba:26:c6:e2:7b:9a:09:70:4b:
0e:4f:04:28:18:d4:e2:9e:ce:9f:c2:d7:ae:7d:52:d3:0b:70:
98:cc:39:c1:dd:aa:f9:8b:d8:19:be:6e:44:72:0b:19:c7:27:
02:ac:9a:9c:30:16:ac:83:96:97:59:4e:bf:f2:c2:47:16:59:
3e:e3:8c:01:47:35:7b:8d:b3:84:ae:0b:68:7d:07:8d:82:2b:
9a:b1:e2:c6:07:ef:92:9a:6f:61:6b:03:3f:8f:eb:f7:09:28:
b5:66:76:77:ed:49:17:56:ef:91:fc:f3:da:0d:5e:49:9d:a2:
5a:5a:5f:6e
--------------------------------------------------------------------------------------------------------------------------------------------
CA certificate of hostB as below
-bash-4.2# openssl x509 -in CA.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c7:6c:b5:9f:76:01:0f:f1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = ca.cert.com
Validity
Not Before: Oct 11 04:47:29 2023 GMT
Not After : Oct 10 04:47:29 2024 GMT
Subject: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = ca.cert.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:47:67:fe:bd:d6:89:82:2b:9e:71:49:89:ed:
62:b9:7b:31:1b:ea:2d:7f:89:c9:31:21:5d:f2:fd:
3a:93:d4:f9:f2:ff:66:51:e2:ea:73:2c:94:ca:70:
bc:b3:36:54:fc:6f:03:0e:0a:00:57:57:8a:41:87:
2d:52:31:d7:fc:64:bd:b4:55:25:d8:f6:2c:5f:dc:
b9:17:09:c0:c2:6f:46:4d:fc:18:b5:93:4b:97:b8:
c5:d0:03:16:87:a9:bc:bb:a3:e7:80:36:ed:4a:d2:
92:88:03:f1:25:b4:72:d6:70:01:7d:cf:34:e1:5a:
f4:27:a9:3e:d7:be:99:d3:1a:db:a2:a8:3c:0e:fb:
4b:f1:43:d1:79:17:fc:7e:1a:e7:0a:54:0f:6b:bc:
b5:30:4a:29:4b:d0:55:68:e4:89:77:87:39:04:1f:
d6:f9:f0:35:a2:3c:7d:de:99:c7:44:0a:77:e0:6c:
b9:34:87:4c:59:a8:f6:8c:10:d8:23:a0:21:7f:c1:
0e:c7:88:4e:79:e1:23:fd:33:65:98:ce:cc:d7:25:
85:64:32:b2:36:a2:55:36:38:13:ef:9e:08:b1:19:
d2:cc:e6:30:2d:5e:27:1e:c2:c7:30:aa:ed:22:bb:
f9:e0:3f:43:b4:1b:41:4d:ae:76:37:b8:95:a8:a2:
fd:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D2:0E:EE:8F:4F:2C:C3:9E:39:9B:35:48:71:38:C1:66:5D:A3:2C:78
X509v3 Authority Key Identifier:
keyid:D2:0E:EE:8F:4F:2C:C3:9E:39:9B:35:48:71:38:C1:66:5D:A3:2C:78
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a9:b7:8e:57:a2:c1:c9:4f:4b:04:84:92:34:f1:46:d8:28:b8:
f4:f6:b4:ea:fe:67:c0:09:96:d4:26:fb:69:43:89:77:5a:fb:
5e:c6:38:53:af:a7:d7:ad:50:ed:f4:f0:bb:16:d6:03:18:2c:
a3:e4:b4:a5:a0:23:fd:40:6d:47:14:7e:2e:d1:9c:a7:12:e5:
ca:80:2f:81:88:80:fa:13:91:b2:82:c8:c1:77:95:70:fc:0d:
ec:86:9e:e3:80:99:64:a3:c2:2d:45:8e:24:02:79:81:33:d5:
0d:6d:b9:e1:e9:57:ac:69:e5:7c:63:5b:68:4f:2e:3f:85:58:
e9:88:06:11:e2:6d:83:c8:cf:65:e0:f8:16:f3:a5:f2:4d:bf:
28:0b:22:97:f7:a5:bd:8e:66:21:bc:83:90:da:c9:09:40:d4:
3c:d9:4b:5d:1c:22:ff:79:00:04:d3:de:9a:a6:66:a6:52:e6:
0f:29:cf:d6:48:d1:e5:7d:ab:d9:58:8d:2c:40:86:0f:c7:6f:
eb:45:e6:cf:3e:dc:21:5d:56:5f:ff:89:cc:6c:23:69:46:18:
8e:5f:a7:ab:89:8e:14:83:a7:0d:d1:08:0b:b5:a8:b2:60:32:
9e:c3:5f:82:a1:70:73:ff:a2:c6:88:a9:6b:48:c1:a0:8d:e6:
8e:f5:b2:4e
More information about the Swan
mailing list