Re: [strongSwan] peer cert verification: X509: temporary cert import operation failed
Hi, On Thursday, 15 February 2018 17:37:24 CET Thomas Jarosch wrote: > Feb 15 17:20:11.324390: "companyserver" #1: Peer ID is ID_DER_ASN1_DN: > 'CN=firewall.company.com, O=Company, OU=HQ' Feb 15 17:20:11.324416: | > checking for CERT payloads > Feb 15 17:20:11.324426: | found at last one CERT payload, calling > pluto_process_certs() Feb 15 17:20:11.324498: | nothing to decode > Feb 15 17:20:11.324509: "companyserver" #1: X509: temporary cert import > operation failed Feb 15 17:20:11.324524: "companyserver" #1: cert verify > failed with internal error Feb 15 17:20:11.324535: "companyserver" #1: > X509: Certificate rejected for this connection Feb 15 17:20:11.324547: > "companyserver" #1: X509: CERT payload bogus or revoked Feb 15 > 17:20:11.324558: | Peer ID failed to decode > Feb 15 17:20:11.324567: | complete v1 state transition with > INVALID_ID_INFORMATION > > What's puzzles me is the "X509: temporary cert import operation failed" > error message. The output is from "plutodebug=all" already. problem solved in the morning: Using the "ipsec" systemd service was wrong and actually belonged to the libreswan package. I confused these two as a few strongswan versions back the initscript for strongswan was in fact /etc/rc.d/init.d/ipsec :) After using the "strongswan" systemd service everything went smooth. That also explains why it was suddenly using the nssdb instead of the certificates from disk as I was used to it. Cheers, Thomas
[strongSwan] peer cert verification: X509: temporary cert import operation failed
Hello together, I'm currently trying to set up a IKEv1 connection with strongswan 5.6.0 on Fedora 27. It uses a local nssdb in /etc/ipsec.d to handle certificates / private keys. The connection definition loads fine. When I tell the client to connect, it fails to verify the certificate from the right (=server) side: Feb 15 17:20:11.324390: "companyserver" #1: Peer ID is ID_DER_ASN1_DN: 'CN=firewall.company.com, O=Company, OU=HQ' Feb 15 17:20:11.324416: | checking for CERT payloads Feb 15 17:20:11.324426: | found at last one CERT payload, calling pluto_process_certs() Feb 15 17:20:11.324498: | nothing to decode Feb 15 17:20:11.324509: "companyserver" #1: X509: temporary cert import operation failed Feb 15 17:20:11.324524: "companyserver" #1: cert verify failed with internal error Feb 15 17:20:11.324535: "companyserver" #1: X509: Certificate rejected for this connection Feb 15 17:20:11.324547: "companyserver" #1: X509: CERT payload bogus or revoked Feb 15 17:20:11.324558: | Peer ID failed to decode Feb 15 17:20:11.324567: | complete v1 state transition with INVALID_ID_INFORMATION What's puzzles me is the "X509: temporary cert import operation failed" error message. The output is from "plutodebug=all" already. May be that happens because I imported the cert of the right side into the nssdb already? # certutil -d sql:/etc/ipsec.d -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cert.pem CTu,u,u server.pem CT,, The server certificate is a self-signed one, the nickname is the original filename "server.pem". Any idea what might cause the "cert verify failed with internal error" message? Cheers, Thomas
Re: [strongSwan] strongSwan RSA signature vulnerability
Hi, On Thursday, 31. May 2012 17:23:43 Martin Willi wrote: To exploit the vulnerability, a connection definition using RSA authentication is required. An attacker presenting a forged signature and/or certificate can authenticate as any legitimate user. strongSwan version back to 4.2.0 and up to 4.6.3 are affected, using both IKEv1 and IKEv2. Injecting code is not possible by such an attack. I think one little detail is worth mentioning: You have to know the (public) details of the certificate in order to forge it. In the worst case the attacker already has ways of sniffing your traffic or knows how to redirect the client traffic (f.e. DNS poisioning). Then it's easy to read out the certificate details. Otherwise he needs to look at the certificates returned by strongswan and try to guess a pattern for the IPSEC id. If that succeeded, he still needs to get the IP addresses in phase 2 right. So if the connection is not configured by modeconfig, it's another round of guess work. Since this requires a lot of manual labor, it's unlikely that this can be exploited by an automated system (=spam bot net). It's more dangerous for a dedicated attack. Please correct me if I'm wrong :) Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] I need a working config for Android (4.0.3) - StrongSwan (4.5.6)
On Wednesday, 16. May 2012 00:00:55 Clarence wrote: I've been trying to get My android tablet to connect to the StrongSwan Server all day today... I don't know the brand or model of your tablet, but our HTC Sensation phone in the lab has a software bug and only works via UMTS. IPSEC over WLAN is broken and messes up the routings (we fixed it manually via the root shell). According to my colleague it's a HTC issue since it's supposed to work on an original Google phone with Android 4. Any reason you didn't enable NAT traversal in your config? Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Issue in setting up VPN connection (IKEv1) using android (ICS vpn client) with Strongswan 4.5.0 server
Hi Kushagra, there was an issue with XAUTH + Android 4, see this discussion and patch for the solution: https://lists.strongswan.org/pipermail/dev/2012-April/000551.html Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Accounting Tickets
Hi Martin, On Friday, 24. February 2012 10:58:54 Martin Willi wrote: Hm, might make sense in some setups, try the attached patch. While looking at the patch out of curiosity, I noticed two things regarding the snprintf() usage: - If the source string is larger than the destination buffer, zero termination of the destination buffer is implementation defined. C99 states it will always be zero terminated IIRC. So this is not a real issue. - Return value of snprintf() is the number of bytes that would have been written -if- the destination buffer is not big enough. See also: http://lwn.net/Articles/69419/ A quick grep showed that libstrongswan/plugins/pem/pem_encoder.c seems to be affected. What do you think? Best regards, Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] NAT Traversal - Issues in understanding
On Thursday, 21. July 2011 15:09:27 Andreas Steffen wrote: Please be aware that a serious NAT-T bug was fixed in strongSwan 4.5.1 and later versions which in the case of a responder sitting behind a NAT router, caused the host to answer requests sent on port 4500 on port 500 instead. Quick question: Does this affect IKEv2 / IKEv1 or both? Cheers, Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] NAT Traversal - Issues in understanding
On Friday, 22. July 2011 09:42:41 Andreas Steffen wrote: Hello Thomas, this NAT-T bug affects IKEv2 only. Thanks for the info. Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan in vmware
On Friday, 16. July 2010 20:43:39 Andreas Steffen wrote: the debugging level shouldn't have any influence at all with the establishment of the tunnel. May be a timing issue? The debug stuff usually slows down things a lot. Cheers, Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to config UNITY_BANNER?
Hello Kalaj, On Friday, 18. December 2009 10:43:06 Kalaj wrote: Running IPSEC cisco VPN, is it possible to config UNITY_BANNER string in config file? The banner is a fixed define. You have to alter the source for now, that's what we do here ;) Cheers, Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [patch] Start charon/pluto only if they were built
Hello together, attached is a patch to start charon/pluto only if they were built. Best regards, Thomas Jarosch diff -u -r -p strongswan-4.2.13/src/starter/Makefile.am strongswan.starter/src/starter/Makefile.am --- strongswan-4.2.13/src/starter/Makefile.am Tue Dec 23 07:24:01 2008 +++ strongswan.starter/src/starter/Makefile.am Tue Mar 24 15:04:40 2009 @@ -15,6 +15,14 @@ MAINTAINERCLEANFILES = lex.yy.c y.tab.c PLUTODIR=$(top_srcdir)/src/pluto SCEPCLIENTDIR=$(top_srcdir)/src/scepclient +if USE_PLUTO + AM_CFLAGS += -DSTART_PLUTO +endif + +if USE_CHARON + AM_CFLAGS += -DSTART_CHARON +endif + lex.yy.c: parser.l parser.y parser.h y.tab.c $(LEX) --nounput $ diff -u -r -p strongswan-4.2.13/src/starter/confread.c strongswan.starter/src/starter/confread.c --- strongswan-4.2.13/src/starter/confread.c Tue Mar 24 11:59:44 2009 +++ strongswan.starter/src/starter/confread.c Tue Mar 24 15:06:14 2009 @@ -61,8 +61,18 @@ static void default_values(starter_confi cfg-setup.hidetos = TRUE; cfg-setup.uniqueids = TRUE; cfg-setup.interfaces = new_list(%defaultroute); + +#ifdef START_CHARON cfg-setup.charonstart = TRUE; +#else + cfg-setup.charonstart = FALSE; +#endif + +#ifdef START_PLUTO cfg-setup.plutostart = TRUE; +#else + cfg-setup.plutostart = FALSE; +#endif /* limit certificate requests * magic values: -1: unlimited -2: use pluto default */ ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [patch] add support for --disable-threads
On Tuesday, 2. December 2008 10:05:10 you wrote: Thanks, applied to [4735]. I slightly modified the patch that this option affects pluto only. I think it might be somewhat confusing for a user if --disable-threads completely removes IKEv2 support. Fine with me. I thought threads are needed for charon... The strongswan download page still links to the old CVS repository. As the revision number indicated the source is maintained via SVN, I quickly found the trac link while searching the mailinglist archive ;-) Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [patch] add missing include
Hello together, attached patch fixes a small compile error of struct tm not being defined. Cheers, Thomas diff -u -r -p strongswan-4.2.9/src/libstrongswan/utils.c strongswan.include/src/libstrongswan/utils.c --- strongswan-4.2.9/src/libstrongswan/utils.c 2008-09-17 23:10:35.0 +0200 +++ strongswan.include/src/libstrongswan/utils.c 2008-12-01 22:43:58.0 +0100 @@ -24,6 +24,7 @@ #include stdio.h #include unistd.h #include dirent.h +#include time.h #include enum.h #include debug.h ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [patch] add support for --disable-threads
Hello together, attached is a patch to make compilation without threads easier. Cheers, Thomas diff -u -r -p strongswan-4.2.9/configure.in strongswan-4.2.9.no_threads/configure.in --- strongswan-4.2.9/configure.in 2008-11-16 23:34:47.0 +0100 +++ strongswan-4.2.9.no_threads/configure.in 2008-12-01 23:16:13.0 +0100 @@ -570,6 +570,17 @@ AC_ARG_ENABLE( ) AC_ARG_ENABLE( + [threads], + AS_HELP_STRING([--disable-threads],[disable use of threads. Threads are needed for charon. (default is NO).]), + [if test x$enableval = xyes; then + threads=true + else + threads=false + fi], + threads=true +) + +AC_ARG_ENABLE( [charon], AS_HELP_STRING([--disable-charon],[disable the IKEv2 keying daemon charon. (default is NO).]), [if test x$enableval = xyes; then @@ -928,7 +939,8 @@ AM_CONDITIONAL(USE_INTEGRITY_TEST, test AM_CONDITIONAL(USE_SELF_TEST, test x$self_test = xtrue) AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap) AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue) -AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) +AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue) +AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue -a x$threads = xtrue) AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue) AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue) diff -u -r -p strongswan-4.2.9/src/pluto/Makefile.am strongswan-4.2.9.no_threads/src/pluto/Makefile.am --- strongswan-4.2.9/src/pluto/Makefile.am 2008-09-17 23:10:41.0 +0200 +++ strongswan-4.2.9.no_threads/src/pluto/Makefile.am 2008-12-01 22:28:17.0 +0100 @@ -85,7 +85,7 @@ AM_CFLAGS = \ -DIPSEC_PIDDIR=\${piddir}\ \ -DSHARED_SECRETS_FILE=\${confdir}/ipsec.secrets\ \ -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \ --DPLUTO -DKLIPS -DDEBUG -DTHREADS +-DPLUTO -DKLIPS -DDEBUG pluto_LDADD = \ oid.o \ @@ -143,3 +143,6 @@ if USE_CAPABILITIES pluto_LDADD += -lcap endif +if USE_THREADS + AM_CFLAGS += -DTHREADS +endif ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [patch] refcount handling using atomic memory operations
Hello together, attached is a patch to implement refcount handling using atomic memory operations if supported by the compiler (gcc = 4.1) and platform. It was really tricky to get the configure.in part right as __sync_fetch_and_add() is defined on i386 but will result in a link error later on. Call configure with: ./configure CFLAGS=-march=i586 to enable the new code. The code is untested as I don't have a strongswan 4.x setup yet. It compiles cleanly though ;-) Cheers, Thomas --- strongswan-4.2.9/configure.in 2008-11-16 23:34:47.0 +0100 +++ strongswan-4.2.9.no_threads/configure.in 2008-12-02 00:58:43.0 +0100 @@ -948,6 +960,27 @@ dnl == dnl build Makefiles dnl == +AC_MSG_CHECKING(for gcc atomic memory operations) +AC_TRY_RUN( +[ + int main() + { +volatile int ref = 1; + +__sync_fetch_and_add (ref, 1); +__sync_sub_and_fetch (ref, 1); + +/* Make sure test fails on i386 as the operations above are not supported */ +__sync_val_compare_and_swap(ref, 1, 0); + +return ref; + } +],[ +AC_MSG_RESULT(yes) +AC_DEFINE(HAVE_GCC_ATOMIC_OPERATIONS, 1, [Enable if your gcc supports atomic memory operations]) +], [AC_MSG_RESULT(no. Try running configure f.e. with CFLAGS=-march=i586 if you are on x86)]) + + AC_OUTPUT( Makefile src/Makefile --- strongswan-4.2.9/src/libstrongswan/utils.c 2008-12-01 23:42:13.0 +0100 +++ strongswan-4.2.9.no_threads/src/libstrongswan/utils.c 2008-12-02 00:21:14.0 +0100 @@ -20,7 +20,6 @@ #include sys/stat.h #include string.h -#include pthread.h #include stdio.h #include unistd.h #include dirent.h @@ -29,6 +28,10 @@ #include enum.h #include debug.h +#ifndef HAVE_GCC_ATOMIC_OPERATIONS + #include pthread.h +#endif + ENUM(status_names, SUCCESS, DESTROY_ME, SUCCESS, FAILED, @@ -130,6 +133,12 @@ void nop() { } +#ifdef HAVE_GCC_ATOMIC_OPERATIONS +/** + * We use fast atomic memory operations if supported + * by the compiler (gcc 4.1) and platform. + */ +#else /** * We use a single mutex for all refcount variables. This * is not optimal for performance, but the critical section @@ -137,34 +146,39 @@ void nop() * TODO: Consider to include a mutex in each refcount_t variable. */ static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER; +#endif /** - * Described in header. - * - * TODO: May be implemented with atomic CPU instructions - * instead of a mutex. + * Increase refcount */ void ref_get(refcount_t *ref) { +#ifdef HAVE_GCC_ATOMIC_OPERATIONS + __sync_fetch_and_add(ref, 1); +#else pthread_mutex_lock(ref_mutex); (*ref)++; pthread_mutex_unlock(ref_mutex); +#endif } /** - * Described in header. - * - * TODO: May be implemented with atomic CPU instructions - * instead of a mutex. + * Decrease refcount + * @return true if refcount is zero, false otherwise */ bool ref_put(refcount_t *ref) { +#ifdef HAVE_GCC_ATOMIC_OPERATIONS + refcount_t more_refs = __sync_sub_and_fetch(ref, 1); + return (more_refs == 0); +#else bool more_refs; pthread_mutex_lock(ref_mutex); more_refs = --(*ref); pthread_mutex_unlock(ref_mutex); return !more_refs; +#endif } /** ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users