On 11/21/2012 08:47 PM, Jun Yin wrote:
> Hi,
>
> I know certreq should be filled by part of hash of certificate
> authority, but I don't know an easy way to calculate it by myself.
>
>>From my debug:
>
> Nov 20 18:09:15 pc161 charon: 16[IKE] local host is behind NAT,
> sending keep alives
> Nov 20 18:09:15 pc161 charon: 16[IKE] received 1 cert requests for an unknown
> ca
> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216,
> [email protected]"
> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
> [email protected]"
> Nov 20 18:09:16 pc161 charon: 16[IKE] authentication of 'C=CA, ST=bc,
> L=vancouver, O=fortinet, OU=qa, CN=dut2_sub3_alt,
> [email protected]' (myself) with RSA signature successful
>
>
> 1. The second line said "requests for an unknown ca". I don't know
> why, I suppose I have all relevant cacert in directory
> /etc/ipsec.d/cacert. So, is that means my peer sending a wrong value
> in certreq field?
>
Probably yes, since all CA certificates from /etc/ipsec.d/cacerts/
or loaded via ca sections in /etc/ipsec.conf are checked.
> 2. The third and fourth line said we're building our certreq field and
> sending it. My questions is how do strongswan choose cacert to send? I
> actually have 4 cacert in my directory /etc/ipsec.d/cacert. Why do
> strongswan choose two of them? which kind of rule?
>
By default the SHA1 hashes of all CA certificates in
/etc/ipsec.d/cacerts/ and optionally loaded via ca sections in
/etc/ipsec.conf are sent in the CERTREQ but if you define
rightca = "<Subject Distinguished Name of CA>
in the connection definition then only the given CA will be requested.
> 3. To confirm if strongswan are sending correct certreq, is there a
> way to calculate certreq field value by ourself? like an openssl
> command?
>
Use these commands:
openssl x509 -in cert.pem -outform der -out cert.der
hash=`sha1sum cert.der | awk '{ print $1 }'`
>
> Thanks!
>
Regards
Andreas
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
