Hello John, > In the meantime my experiments has shown that the problem was not associated > with certificates at all. This message about bad signature was a result of > missing some strongswan basic plugins (so it was an unexpected strongswan > installation problem!), all the certificates involved in authentication had > valid signatures.
I doubt that. What did you do to fix it? On 16.02.2017 09:25, John Brown wrote: > Hi Tobias, > Sorry for delay, I didn't notice your message. > > In the meantime my experiments has shown that the problem was not associated > with certificates at all. This message about bad signature was a result of > missing some strongswan basic plugins (so it was an unexpected strongswan > installation problem!), all the certificates involved in authentication had > valid signatures. > > But extracting the certificates from log can be useful in future, I'm going > to try your advice. I'was trying "enc 4" before but could not find the > payload I was interested in - now if I know that they are in logs for sure, > I'm going to pay more attention during searching the logs. > > Thank you for your help, > Best regards, > John > > > 2017-01-25 11:31 GMT+01:00 Tobias Brunner <tob...@strongswan.org > <mailto:tob...@strongswan.org>>: > > Hi John, > > > We have problems with certificate authentication and see "RSA signature > > verification failed: Bad signature" during strongswan connection try. We > > would like to retrieve all remote certificate chain to "manually" check > > this issue. Is this possible using strongswan (for example by enabling > > some debugs)? > > You could increase the log level to get the certificates sent by the > peer. But I'm not sure if that would help much. When exactly does this > happen? When verifying a certificate? When verifying the IKE > authentication? Do you use IKEv2 or IKEv1? Do you have the correct > root CA certificate installed? > > Anyway, if you want to extract the certificates from the log you may > increase the log level for the enc subsystem to 3 [1]. You'll get lots > of output that way, look for data logged for CERTIFICATE payloads > (you'll also have to reconstruct the binary data from the hex output in > the log). > > Regards, > Tobias > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration > <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration> > > > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users