Thank you very much! It works. Writing note now......
On Thu, Nov 22, 2012 at 11:38 PM, Andreas Steffen <[email protected]> wrote: > Hi, > > sorry I confounded the CERTREQ hash which is computed over the > public key info record with the HASH-and-URL hash which goes over > the whole DER-encoded certificate. > > Use our ipsec pki command to extract the keyid from the CA Certificate: > > ipsec pki --print --in etc/ipsec.d/cacerts/strongswanCert.pem > cert: X509 > subject: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" > issuer: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" > validity: not before Sep 10 12:01:18 2004, ok > not after Sep 07 12:01:18 2019, ok (expires in 2479 days) > serial: 00 > flags: CA CRLSign self-signed > pathlen: 1 > authkeyId: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef > subjkeyId: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef > pubkey: RSA 2048 bits > keyid: ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc > subjkey: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef > > The value to use in the CERTREQ is keyid: ae:09:...:eb:bc > > Regards > > Andreas > > > On 11/22/2012 02:21 AM, Jun Yin wrote: >> >> hi, >> >> Thanks you very much, you helped me a lot. >> >> now the problem 1&2 are resolved, I could specify which CA to be sent >> in certreq now. >> For question 3, still something wrong. >> >> From my decrypted packet, I can see strongswan send out: >> >> Certificate Authority Data: 2b6d55461e944f4e1eb197fedaf1bbeba2011c90 >> >> >> I calculated the value by myself with your command: >> >> root@pc161:~# openssl x509 -in >> /etc/ipsec.d/cacerts/cacert_hans_216_sub3_ca.pem -outform der -out >> cert.der >> root@pc161:~# hash=`sha1sum cert.der | awk '{ print $1 }'` >> root@pc161:~# echo $hash >> 5cf9759c64f7fd5cd28b47a3d1ac7f2ef4ee76c1 >> root@pc161:~# sha1sum cert.der >> 5cf9759c64f7fd5cd28b47a3d1ac7f2ef4ee76c1 cert.der >> >> >> The value does not match! I must did something wrong. Could you help >> me to figure out? I attached my cacert in this email. Thanks again. >> >> >> >> >> On Wed, Nov 21, 2012 at 12:09 PM, Andreas Steffen >> <[email protected]> wrote: >>> >>> On 11/21/2012 08:47 PM, Jun Yin wrote: >>>> >>>> >>>> Hi, >>>> >>>> I know certreq should be filled by part of hash of certificate >>>> authority, but I don't know an easy way to calculate it by myself. >>>> >>>>> From my debug: >>>> >>>> >>>> >>>> Nov 20 18:09:15 pc161 charon: 16[IKE] local host is behind NAT, >>>> sending keep alives >>>> Nov 20 18:09:15 pc161 charon: 16[IKE] received 1 cert requests for an >>>> unknown ca >>>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA, >>>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216, >>>> [email protected]" >>>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA, >>>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2, >>>> [email protected]" >>>> Nov 20 18:09:16 pc161 charon: 16[IKE] authentication of 'C=CA, ST=bc, >>>> L=vancouver, O=fortinet, OU=qa, CN=dut2_sub3_alt, >>>> [email protected]' (myself) with RSA signature successful >>>> >>>> >>>> 1. The second line said "requests for an unknown ca". I don't know >>>> why, I suppose I have all relevant cacert in directory >>>> /etc/ipsec.d/cacert. So, is that means my peer sending a wrong value >>>> in certreq field? >>>> >>> Probably yes, since all CA certificates from /etc/ipsec.d/cacerts/ >>> or loaded via ca sections in /etc/ipsec.conf are checked. >>> >>> >>>> 2. The third and fourth line said we're building our certreq field and >>>> sending it. My questions is how do strongswan choose cacert to send? I >>>> actually have 4 cacert in my directory /etc/ipsec.d/cacert. Why do >>>> strongswan choose two of them? which kind of rule? >>>> >>> By default the SHA1 hashes of all CA certificates in >>> /etc/ipsec.d/cacerts/ and optionally loaded via ca sections in >>> /etc/ipsec.conf are sent in the CERTREQ but if you define >>> >>> rightca = "<Subject Distinguished Name of CA> >>> >>> in the connection definition then only the given CA will be requested. >>> >>> >>>> 3. To confirm if strongswan are sending correct certreq, is there a >>>> way to calculate certreq field value by ourself? like an openssl >>>> command? >>>> >>> Use these commands: >>> >>> openssl x509 -in cert.pem -outform der -out cert.der >>> >>> hash=`sha1sum cert.der | awk '{ print $1 }'` >>> >>>> >>>> Thanks! >>>> >>> >>> Regards >>> >>> Andreas > > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== -- Rgds, Hans Yin Web: http://sourceforge.net/projects/autotestnet/ Email: [email protected] MSN: [email protected] Skype: hans_yin_vancouver _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
