[strongSwan] Intermediate CAs - ordering important?

Tue, 15 Jun 2010 09:35:36 -0700 

Hi all,

I am trying to configure a certificate based VPN between a Juniper SRX
and StrongSwan 4.3.6.

There are two CAs, CN=root-ca and CN=sub-ca. As the names indicate,
root-ca is self-signed and sub-ca is a CA signed by root-ca.

The SRX's certificate is certified by sub-ca, StrongSwan's certificate
is signed by root-ca.

SRX has installed the root-ca and sub-ca certificates; StrongSwan only
has root-ca's certificate configured as the CA cert.

This means that the SRX has to send not only its own certificate, but
also sub-ca's certificate as the intermediate CA.

This all works fine, however, I am ending up with "no public key known"
on the StrongSwan side for the SRX public key.

I have observed that the order of the certificates received by
StrongSwan is SRX cert, sub-ca cert and then root-ca cert. After
reception of the SRX cert, it seems that StrongSwan drops that cert
because it can't verify the issuer and then never recovers when it
afterwards receives the intermediate CA:

Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected

Can anyone confirm? Thanks!

Here are the detailed logs:

Jun 15 13:20:19 debian pluto[27490]: | ICOOKIE:  e8 0a 9f ce  96 52 a3 d6
Jun 15 13:20:19 debian pluto[27490]: | RCOOKIE:  fb e9 79 82  92 62 7f 46
Jun 15 13:20:19 debian pluto[27490]: | peer:  0a 00 51 52
Jun 15 13:20:19 debian pluto[27490]: | state hash entry 15
Jun 15 13:20:19 debian pluto[27490]: | state object #5 found, in
STATE_MAIN_I3
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Identification
Payload:
Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
ISAKMP_NEXT_CERT
Jun 15 13:20:19 debian pluto[27490]: |    length: 12
Jun 15 13:20:19 debian pluto[27490]: |    ID type: ID_IPV4_ADDR
Jun 15 13:20:19 debian pluto[27490]: |    DOI specific A: 17
Jun 15 13:20:19 debian pluto[27490]: |    DOI specific B: 0
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
ISAKMP_NEXT_CERT
Jun 15 13:20:19 debian pluto[27490]: |    length: 784
Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
ISAKMP_NEXT_CERT
Jun 15 13:20:19 debian pluto[27490]: |    length: 700
Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload:
Jun 15 13:20:19 debian pluto[27490]: |    next payload type: ISAKMP_NEXT_SIG
Jun 15 13:20:19 debian pluto[27490]: |    length: 762
Jun 15 13:20:19 debian pluto[27490]: |    cert encoding: CERT_X509_SIGNATURE
Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Signature Payload:
Jun 15 13:20:19 debian pluto[27490]: |    next payload type:
ISAKMP_NEXT_NONE
Jun 15 13:20:19 debian pluto[27490]: |    length: 260
Jun 15 13:20:19 debian pluto[27490]: | removing 10 bytes of padding
Jun 15 13:20:19 debian pluto[27490]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: Peer ID is ID_IPV4_ADDR:
'10.0.81.82'
Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, L=Munich,
O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 13:10:56 UTC 2010'
Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 13:10:56 UTC 2011'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
Jun 15 13:20:19 debian pluto[27490]: |   'CN=srx5600'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'nsComment'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
Jun 15 13:20:19 debian pluto[27490]: |   'OpenSSL Generated Certificate'
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'subjectAltName'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - generalNames:
Jun 15 13:20:19 debian pluto[27490]: | L7 - generalName:
Jun 15 13:20:19 debian pluto[27490]: | L8 - ipAddress:
Jun 15 13:20:19 debian pluto[27490]: |   '10.0.81.82'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
Jun 15 13:20:19 debian pluto[27490]: | subject: 'CN=srx5600'
Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
L=Munich, O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
99:c8:85:a1:a1:4f:60:9a:1c:3a:6d:9e:f0:0f:3d:aa:d9:53:ef:71
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected
Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 11:30:22 UTC 2010'
Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: |   'Jun 15 11:30:22 UTC 2011'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, L=Munich,
O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'nsComment'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment:
Jun 15 13:20:19 debian pluto[27490]: |   'OpenSSL Generated Certificate'
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
L=Munich, O=Org, OU=org-unit, CN=sub-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | signature verification:
Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
a path length of 0
Jun 15 13:20:19 debian pluto[27490]: | Public key validated
Jun 15 13:20:19 debian pluto[27490]: | L0 - x509:
Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate:
Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1:
Jun 15 13:20:19 debian pluto[27490]: | L3 - version:
Jun 15 13:20:19 debian pluto[27490]: |   X.509v3
Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L2 - signature:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer:
Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - validity:
Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: |   'Jun 14 19:42:33 UTC 2010'
Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter:
Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime:
Jun 15 13:20:19 debian pluto[27490]: |   'Jun 13 19:42:33 UTC 2013'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subject:
Jun 15 13:20:19 debian pluto[27490]: |   'C=DE, ST=Bavaria, O=Org,
OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'rsaEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | -- > --
Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey:
Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus:
Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent:
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | -- < --
Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions:
Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'subjectKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'authorityKeyIdentifier'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertIssuer:
Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertSerialNumber:
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'basicConstraints'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   TRUE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints:
Jun 15 13:20:19 debian pluto[27490]: | L7 - CA:
Jun 15 13:20:19 debian pluto[27490]: |   TRUE
Jun 15 13:20:19 debian pluto[27490]: | L4 - extension:
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID:
Jun 15 13:20:19 debian pluto[27490]: |   'keyUsage'
Jun 15 13:20:19 debian pluto[27490]: | L5 - critical:
Jun 15 13:20:19 debian pluto[27490]: |   FALSE
Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue:
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1WithRSAEncryption'
Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue:
Jun 15 13:20:19 debian pluto[27490]: | signature verification:
Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | signature verification:
Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo:
Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm:
Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier:
Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm:
Jun 15 13:20:19 debian pluto[27490]: |   'sha-1'
Jun 15 13:20:19 debian pluto[27490]: | L1 - digest:
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown
Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | issuer:  'C=DE, ST=Bavaria,
O=Org, OU=org-unit, CN=root-ca'
Jun 15 13:20:19 debian pluto[27490]: | authkey:
9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe
Jun 15 13:20:19 debian pluto[27490]: | certificate is valid
Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found
Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid
Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with
a path length of 0
Jun 15 13:20:19 debian pluto[27490]: | Public key validated
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: no public key known for
'10.0.81.82'
Jun 15 13:20:19 debian pluto[27490]: "srx" #5: sending encrypted
notification INVALID_KEY_INFORMATION to 10.0.81.82:500
-- 
Gruss           * Holger Metschulat
  Holger        * e-mail: [email protected], http://home.arcor.de/estw
    "Internet-Nutzung ist ein Privileg und kein Recht."
       (Rechnerraum-Ordnung an der Uni von 1994)

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to