On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: > On Tue, Aug 18, 2015 at 02:26:29PM +0000, Jona Joachim wrote: > > Hi, > > I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between > > two OpenBSD boxes running a recent amd64 snapshot. The client is behing > > a NAT. > > The setup works with a PSK but I cannot make it work with RSA > > certificates. No matter what I tried, the client seems to fail > > connecting with: > > ca_getreq: no valid local certificate found > > > > I turn to the mailing list to see if anybody can point me into the right > > direction. > > > > I loosely followed the following guide: > > http://puffysecurity.com/wiki/openikedoffshore.html > > I will try to shorten the command output to make it more readable. > > > > There is an OpenSSL error during the creation of the CA concerning a > > missing element in openssl.cnf. I did not modify openssl.cnf. > > > > On the server side I did the following: > > > > # ikectl ca ikeca create > > [...] > > Signature ok > > subject=/C=NL/CN=ikeca/[email protected] > > Getting Private key > > Using configuration from /etc/ssl/openssl.cnf > > variable lookup failed for ca::default_ca > > 7504668282756:error:0E06D06C:configuration file > > routines:NCONF_get_string:no > > value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca > > name=default_ca > > > > It seems that the changes in LibreSSL (or newer OpenSSL before the > fork) broke some things in ikectl. > > Specifically, the possibility to overwrite variables like CERTIP or > CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be > broken; or not longer supported because of security concerns. > > Your log file gives a hint that the default "CERTFQDN = nohost.nodomain" > value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead > of the CERTFQDN overwrite from the environment (as set by ikectl): > > > ca_getreq: found CA /C=NL/CN=ikeca/[email protected] > > ca_x509_subjectaltname: FQDN/nohost.nodomain > > ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched > > ca_getreq: no valid local certificate found > > If libressl no longer supports $ENV in the .cnf files, we have to find > another way, eg. by generating and using a .cnf file for each > certificate.
LibreSSL purposefully removed support for environment variables in http://marc.info/?l=openbsd-cvs&m=142876823016723&w=2 http://marc.info/?l=openbsd-cvs&m=142876823016723&w=2 So another way is indeed needed.
