Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 03:50:47PM +0200, Sebastien Marie wrote:
On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote:
In this case, LibreSSL was Theo who unintentionally broke ikectl.
I attached a diff that generates new .cnf files by expanding the
variables in the source .cnf files and generating target .cnf files.
It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings),
but you/we should install ikeca.cnf to /etc/ssl/ by default.
There are more pending changes for ikectl (eg. from semarie@), but I'd
like to fix this first.
for new code at least, you should check snprintf() return value for
overflow. you could reuse the xsnprintf() code I sent previously if you
want :)
I usually do one thing at a time. Yes, snprintf() doesn't check for
overflow but it is not adding any serious additional risk now - I
wanted to fix basic operation of ikectl first.
I'm not fond of adding x* functions (like xmalloc) but I agree that
the return values should be checked. But they should be checked
everywhere - I didn't forget about your diff. So maybe xsnprintf() is
OK in ikeca'c specific case.
Could you update and resend your ikectl diffs?
and some others notes inline.
Index: ikeca.c
===
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
retrieving revision 1.32
diff -u -p -u -p -r1.32 ikeca.c
--- ikeca.c 15 Aug 2015 04:47:28 - 1.32
+++ ikeca.c 19 Aug 2015 08:12:39 -
[...]
@@ -489,6 +527,46 @@ fcopy(char *src, char *dst, mode_t mode)
}
int
+fcopy_env(const char *src, const char *dst, mode_t mode)
+{
returning int isn't useful: all errors are fatal and you always return 0
value (which is also unused by caller).
Same here, I saw the useless return values in ikeca.c and just adopted
the style. It might sound crazy, but it is actually an invitation to
change it everywhere in a separate step (incl. fcopy()).
+ int ofd = -1, i;
+ u_int8_t buf[BUFSIZ];
+ ssize_t r = -1, len;
+ FILE*ifp = NULL;
+ int saved_errno;
+
+ if ((ifp = fopen(src, r)) == NULL)
+ err(1, fopen %s, src);
+
+ if ((ofd = open(dst, O_WRONLY|O_CREAT|O_TRUNC, mode)) == -1)
+ goto done;
+
+ while (fgets(buf, sizeof(buf), ifp) != 0) {
+ for (i = 0; ca_env[i][0] != NULL; i++) {
+ if (ca_env[i][1] == NULL)
+ continue;
+ expand_string(buf, sizeof(buf),
+ ca_env[i][0], ca_env[i][1]);
+ }
btw., the expand_string() return value is checked in the committed diff.
something could go wrong here if fgets() partially read a normally expanded
name:
for example: file with `$ENV::CADB' inside
one read:
buf = ...$ENV::C
expand don't found `$ENV::CADB'
next read
buf = ADB...
`$ENV::CADB' wouldn't be expanded
But how likely or valid is it that fgets() will return an incomplete
line from a .cnf file? It must be BUFSIZ or a read from weird I/O
(maybe fuse or NFS) but fgets() would return NULL on I/O errors.
To be safe, I could a) check for feof() and ferror() and b) test if
the returned line includes a newline. Growing a buffer from multiple
lines doesn't seem to be necessary.
Reyk
+ len = strlen(buf);
+ if (write(ofd, buf, len) != len)
+ goto done;
+ }
+
+ r = 0;
+
+ done:
+ saved_errno = errno;
+ close(ofd);
+ if (ifp != NULL)
+ fclose(ifp);
+ if (r == -1)
+ errc(1, saved_errno, open %s, dst);
+
+ return (0);
+}
+
--
Sebastien Marie
--
Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote:
In this case, LibreSSL was Theo who unintentionally broke ikectl.
I attached a diff that generates new .cnf files by expanding the
variables in the source .cnf files and generating target .cnf files.
It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings),
but you/we should install ikeca.cnf to /etc/ssl/ by default.
There are more pending changes for ikectl (eg. from semarie@), but I'd
like to fix this first.
for new code at least, you should check snprintf() return value for
overflow. you could reuse the xsnprintf() code I sent previously if you
want :)
and some others notes inline.
Index: ikeca.c
===
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
retrieving revision 1.32
diff -u -p -u -p -r1.32 ikeca.c
--- ikeca.c 15 Aug 2015 04:47:28 - 1.32
+++ ikeca.c 19 Aug 2015 08:12:39 -
[...]
@@ -489,6 +527,46 @@ fcopy(char *src, char *dst, mode_t mode)
}
int
+fcopy_env(const char *src, const char *dst, mode_t mode)
+{
returning int isn't useful: all errors are fatal and you always return 0
value (which is also unused by caller).
+ int ofd = -1, i;
+ u_int8_t buf[BUFSIZ];
+ ssize_t r = -1, len;
+ FILE*ifp = NULL;
+ int saved_errno;
+
+ if ((ifp = fopen(src, r)) == NULL)
+ err(1, fopen %s, src);
+
+ if ((ofd = open(dst, O_WRONLY|O_CREAT|O_TRUNC, mode)) == -1)
+ goto done;
+
+ while (fgets(buf, sizeof(buf), ifp) != 0) {
+ for (i = 0; ca_env[i][0] != NULL; i++) {
+ if (ca_env[i][1] == NULL)
+ continue;
+ expand_string(buf, sizeof(buf),
+ ca_env[i][0], ca_env[i][1]);
+ }
something could go wrong here if fgets() partially read a normally expanded
name:
for example: file with `$ENV::CADB' inside
one read:
buf = ...$ENV::C
expand don't found `$ENV::CADB'
next read
buf = ADB...
`$ENV::CADB' wouldn't be expanded
+ len = strlen(buf);
+ if (write(ofd, buf, len) != len)
+ goto done;
+ }
+
+ r = 0;
+
+ done:
+ saved_errno = errno;
+ close(ofd);
+ if (ifp != NULL)
+ fclose(ifp);
+ if (r == -1)
+ errc(1, saved_errno, open %s, dst);
+
+ return (0);
+}
+
--
Sebastien Marie
Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote:
I attached a diff that generates new .cnf files by expanding the
variables in the source .cnf files and generating target .cnf files.
It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings),
but you/we should install ikeca.cnf to /etc/ssl/ by default.
There are more pending changes for ikectl (eg. from semarie@), but I'd
like to fix this first.
OK?
Reyk
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 Makefile
--- Makefile 18 Jan 2014 05:54:51 - 1.3
+++ Makefile 19 Aug 2015 08:12:39 -
@@ -3,7 +3,7 @@
.PATH: ${.CURDIR}/../../sbin/iked
PROG=ikectl
-SRCS=log.c ikeca.c ikectl.c parser.c
+SRCS=log.c ikeca.c ikectl.c parser.c util.c
util.c is missing from diff
--
Sebastien Marie
Re: iked rsa pki configuration
On 2015-08-19, Sebastien Marie sema...@openbsd.org wrote:
On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote:
I attached a diff that generates new .cnf files by expanding the
variables in the source .cnf files and generating target .cnf files.
It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings),
but you/we should install ikeca.cnf to /etc/ssl/ by default.
There are more pending changes for ikectl (eg. from semarie@), but I'd
like to fix this first.
OK?
Reyk
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 Makefile
--- Makefile 18 Jan 2014 05:54:51 - 1.3
+++ Makefile 19 Aug 2015 08:12:39 -
@@ -3,7 +3,7 @@
.PATH: ${.CURDIR}/../../sbin/iked
PROG= ikectl
-SRCS= log.c ikeca.c ikectl.c parser.c
+SRCS= log.c ikeca.c ikectl.c parser.c util.c
util.c is missing from diff
util.c is pulled in from the iked folder. It is already in the tree.
Re: iked rsa pki configuration
On 2015-08-19, Reyk Floeter r...@openbsd.org wrote: On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote: On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. LibreSSL purposefully removed support for environment variables in http://marc.info/?l=openbsd-cvsm=142876823016723w=2 http://marc.info/?l=openbsd-cvsm=142876823016723w=2 So another way is indeed needed. In this case, LibreSSL was Theo who unintentionally broke ikectl. I attached a diff that generates new .cnf files by expanding the variables in the source .cnf files and generating target .cnf files. It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), but you/we should install ikeca.cnf to /etc/ssl/ by default. The patch fixes certificate generation for me. SubjectAltName gets set correctly and iked is happy. It is unfortunate that openssl does not accept SANs as command line arguments. I like the nice stringe expansion solution. Maybe libtls will wrap this up nicely, making it possible to generate the certificates through the API.
Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote:
On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote:
On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote:
Hi,
I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between
two OpenBSD boxes running a recent amd64 snapshot. The client is behing
a NAT.
The setup works with a PSK but I cannot make it work with RSA
certificates. No matter what I tried, the client seems to fail
connecting with:
ca_getreq: no valid local certificate found
I turn to the mailing list to see if anybody can point me into the right
direction.
I loosely followed the following guide:
http://puffysecurity.com/wiki/openikedoffshore.html
I will try to shorten the command output to make it more readable.
There is an OpenSSL error during the creation of the CA concerning a
missing element in openssl.cnf. I did not modify openssl.cnf.
On the server side I did the following:
# ikectl ca ikeca create
[...]
Signature ok
subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc
Getting Private key
Using configuration from /etc/ssl/openssl.cnf
variable lookup failed for ca::default_ca
7504668282756:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
name=default_ca
It seems that the changes in LibreSSL (or newer OpenSSL before the
fork) broke some things in ikectl.
Specifically, the possibility to overwrite variables like CERTIP or
CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be
broken; or not longer supported because of security concerns.
Your log file gives a hint that the default CERTFQDN = nohost.nodomain
value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead
of the CERTFQDN overwrite from the environment (as set by ikectl):
ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc
ca_x509_subjectaltname: FQDN/nohost.nodomain
ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched
ca_getreq: no valid local certificate found
If libressl no longer supports $ENV in the .cnf files, we have to find
another way, eg. by generating and using a .cnf file for each
certificate.
LibreSSL purposefully removed support for environment variables in
http://marc.info/?l=openbsd-cvsm=142876823016723w=2
http://marc.info/?l=openbsd-cvsm=142876823016723w=2
So another way is indeed needed.
In this case, LibreSSL was Theo who unintentionally broke ikectl.
I attached a diff that generates new .cnf files by expanding the
variables in the source .cnf files and generating target .cnf files.
It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings),
but you/we should install ikeca.cnf to /etc/ssl/ by default.
There are more pending changes for ikectl (eg. from semarie@), but I'd
like to fix this first.
OK?
Reyk
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 Makefile
--- Makefile18 Jan 2014 05:54:51 - 1.3
+++ Makefile19 Aug 2015 08:12:39 -
@@ -3,7 +3,7 @@
.PATH: ${.CURDIR}/../../sbin/iked
PROG= ikectl
-SRCS= log.c ikeca.c ikectl.c parser.c
+SRCS= log.c ikeca.c ikectl.c parser.c util.c
MAN= ikectl.8
Index: ikeca.c
===
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
retrieving revision 1.32
diff -u -p -u -p -r1.32 ikeca.c
--- ikeca.c 15 Aug 2015 04:47:28 - 1.32
+++ ikeca.c 19 Aug 2015 08:12:39 -
@@ -82,13 +82,39 @@ struct {
{ /private, 0700 }
};
-int ca_sign(struct ca *, char *, int, char *);
+/* explicitly list allowed variables */
+const char *ca_env[][2] = {
+ { $ENV::CADB, NULL },
+ { $ENV::CERTFQDN, NULL },
+ { $ENV::CERTIP, NULL },
+ { $ENV::CERTPATHLEN, NULL },
+ { $ENV::CERTUSAGE, NULL },
+ { $ENV::CERT_C, NULL },
+ { $ENV::CERT_CN, NULL },
+ { $ENV::CERT_EMAIL, NULL },
+ { $ENV::CERT_L, NULL },
+ { $ENV::CERT_O, NULL },
+ { $ENV::CERT_OU, NULL },
+ { $ENV::CERT_ST, NULL },
+ { $ENV::EXTCERTUSAGE, NULL },
+ { $ENV::NSCERTTYPE, NULL },
+ { NULL }
+};
+
+int ca_sign(struct ca *, char *, int);
int ca_request(struct ca *, char *);
int ca_newpass(char *, char *);
char * ca_readpass(char *, size_t *);
int fcopy(char *, char *, mode_t);
+int fcopy_env(const char *, const char *, mode_t);
int rm_dir(char *);
int ca_hier(char *);
+voidca_setenv(const char *, const char *);
+voidca_clrenv(void);
+voidca_setcnf(struct ca *, const char *);
+
+/*
Re: iked rsa pki configuration
On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote:
Hi,
I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between
two OpenBSD boxes running a recent amd64 snapshot. The client is behing
a NAT.
The setup works with a PSK but I cannot make it work with RSA
certificates. No matter what I tried, the client seems to fail
connecting with:
ca_getreq: no valid local certificate found
I turn to the mailing list to see if anybody can point me into the right
direction.
I loosely followed the following guide:
http://puffysecurity.com/wiki/openikedoffshore.html
I will try to shorten the command output to make it more readable.
There is an OpenSSL error during the creation of the CA concerning a
missing element in openssl.cnf. I did not modify openssl.cnf.
On the server side I did the following:
# ikectl ca ikeca create
[...]
Signature ok
subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc
Getting Private key
Using configuration from /etc/ssl/openssl.cnf
variable lookup failed for ca::default_ca
7504668282756:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
name=default_ca
It seems that the changes in LibreSSL (or newer OpenSSL before the
fork) broke some things in ikectl.
Specifically, the possibility to overwrite variables like CERTIP or
CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be
broken; or not longer supported because of security concerns.
Your log file gives a hint that the default CERTFQDN = nohost.nodomain
value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead
of the CERTFQDN overwrite from the environment (as set by ikectl):
ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc
ca_x509_subjectaltname: FQDN/nohost.nodomain
ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched
ca_getreq: no valid local certificate found
If libressl no longer supports $ENV in the .cnf files, we have to find
another way, eg. by generating and using a .cnf file for each
certificate.
As a workaround, you could try to edit CERTFQDN/CERTIP in
x509v3.cnf/ikeca.cnf manually before generating the certificate.
*) ikeca.cnf is an alternative to x509v3.cnf that sets some additional
x509 attributes that are required for Windows interop and some other
cases. It is not installed by default (why?) and found in
src/usr.sbin/ikectl/ikeca.cnf of the source tree.
Reyk
# ikectl ca ikeca certificate 188.226.168.224 create
[...]
Signature ok
subject=/C=NL/CN=188.226.168.224/emailAddress=j...@joachim.cc
Getting CA Private Key
# ikectl ca ikeca certificate asterix.my.domain create
[...]
Signature ok
subject=/C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc
Getting CA Private Key
# ikectl ca ikeca install
certificate for CA 'ikeca' installed into /etc/iked/ca/ca.crt
# ikectl ca ikeca certificate 188.226.168.224 install
writing RSA key
# ikectl ca ikeca certificate asterix.my.domain export
Export passphrase:
Retype export passphrase:
writing RSA key
exported files in /root/asterix.my.domain.tgz
On the client side then I did the following:
asterix% sudo tar -C /etc/iked -xzpf asterix.my.domain.tgz
The server configuration files look like this:
iked.conf:
local_ip = 188.226.168.224
ikev2 passive ipcomp esp \
from 0.0.0.0/0 to 10.0.0.0/8 \
from 0.0.0.0/0 to 172.16.0.0/12 \
from 0.0.0.0/0 to 192.168.0.0/16 \
local $local_ip peer any \
srcid $local_ip \
tag IKED
pf.conf (partial):
set skip on { lo, enc }
block in log
pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in on egress proto { ah, esp }
pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass out all modulate state
pass out log on egress \
from any to any tagged IKED \
nat-to (egress)
The client configuration files look like this:
iked.conf:
lan = 192.168.1.0/24
remote_gw = 188.226.168.224
ikev2 active esp \
from $lan to 0.0.0.0/0 \
peer $remote_gw \
srcid asterix.my.domain \
tag IKED
Here's the output of iked -dvv on the client side:
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_reload: loaded ca file ca.crt
ca_reload: /C=NL/CN=ikeca/emailAddress=j...@joachim.cc
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file asterix.my.domain.crt
ca_validate_cert: /C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc
ok
ca_reload: local cert type X509_CERT
lan = 192.168.1.0/24
remote_gw = 188.226.168.224
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
/etc/iked.conf: loaded 1 configuration rules
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2 policy1 active esp inet from 192.168.1.0/24 to 0.0.0.0/0 local
any
Re: iked rsa pki configuration
On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. LibreSSL purposefully removed support for environment variables in http://marc.info/?l=openbsd-cvsm=142876823016723w=2 http://marc.info/?l=openbsd-cvsm=142876823016723w=2 So another way is indeed needed.
Re: iked rsa pki configuration
On 2015-08-18, Reyk Floeter r...@openbsd.org wrote: On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. As a workaround, you could try to edit CERTFQDN/CERTIP in x509v3.cnf/ikeca.cnf manually before generating the certificate. Manually editing x509v3.cnf permitted to create valid certificates and solved the problem. Strange that I am the first one to run into this problem. Thank you very much for the quick support!
