Hello Noel. The debian strongswan-standard-plugins package was missing (because of some earlier upgrade issues), i've reinstalled it and this fixed the problem.
2017-02-16 21:59 GMT+01:00 Noel Kuntze <[email protected]>: > Hello John, > > > In the meantime my experiments has shown that the problem was not > associated with certificates at all. This message about bad signature was a > result of missing some strongswan basic plugins (so it was an unexpected > strongswan installation problem!), all the certificates involved in > authentication had valid signatures. > > I doubt that. What did you do to fix it? > > On 16.02.2017 09:25, John Brown wrote: > > Hi Tobias, > > Sorry for delay, I didn't notice your message. > > > > In the meantime my experiments has shown that the problem was not > associated with certificates at all. This message about bad signature was a > result of missing some strongswan basic plugins (so it was an unexpected > strongswan installation problem!), all the certificates involved in > authentication had valid signatures. > > > > But extracting the certificates from log can be useful in future, I'm > going to try your advice. I'was trying "enc 4" before but could not find > the payload I was interested in - now if I know that they are in logs for > sure, I'm going to pay more attention during searching the logs. > > > > Thank you for your help, > > Best regards, > > John > > > > > > 2017-01-25 11:31 GMT+01:00 Tobias Brunner <[email protected] > <mailto:[email protected]>>: > > > > Hi John, > > > > > We have problems with certificate authentication and see "RSA > signature > > > verification failed: Bad signature" during strongswan connection > try. We > > > would like to retrieve all remote certificate chain to "manually" > check > > > this issue. Is this possible using strongswan (for example by > enabling > > > some debugs)? > > > > You could increase the log level to get the certificates sent by the > > peer. But I'm not sure if that would help much. When exactly does > this > > happen? When verifying a certificate? When verifying the IKE > > authentication? Do you use IKEv2 or IKEv1? Do you have the correct > > root CA certificate installed? > > > > Anyway, if you want to extract the certificates from the log you may > > increase the log level for the enc subsystem to 3 [1]. You'll get > lots > > of output that way, look for data logged for CERTIFICATE payloads > > (you'll also have to reconstruct the binary data from the hex output > in > > the log). > > > > Regards, > > Tobias > > > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ > LoggerConfiguration <https://wiki.strongswan.org/projects/strongswan/wiki/ > LoggerConfiguration> > > > > > > > > > > _______________________________________________ > > Users mailing list > > [email protected] > > https://lists.strongswan.org/mailman/listinfo/users > > > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
