ISAKMPD question: certificates shipped?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ISAKMPD question: certificates shipped?

Toni Mueller-10
Hi,

I'm running into a problem with OpenBSD 5.0 and isakmpd. A config that
works on 4.8, doesn't work on 5.0: the client is denied access,
allegedly due to OpenBSD shipping the wrong (X.509) certificate, or
certificates in the wrong order. The (3rd party) claim is that it might
ship the CA certificate, followed by the server certificate.

It would be very nice if someone could shed some light to this.

TIA!


Kind regards,
--Toni++

Reply | Threaded
Open this post in threaded view
|

Re: ISAKMPD question: certificates shipped?

Stuart Henderson
I don't see any code changes that would result in a different presentation
order of certificates between 4.8 and 5.0..

tcpdump traces of the negotiation from 4.8 and 5.0 might be useful, as might
logs from the 3rd party and maybe isakmpd, though I'll be the first to admit
isakmpd logging is pretty impenetrable; I find setting this on the command
line gives a fairly good balance of information:

-v -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 -D10=20


On 2011-11-30, Toni Mueller <[hidden email]> wrote:

> Hi,
>
> I'm running into a problem with OpenBSD 5.0 and isakmpd. A config that
> works on 4.8, doesn't work on 5.0: the client is denied access,
> allegedly due to OpenBSD shipping the wrong (X.509) certificate, or
> certificates in the wrong order. The (3rd party) claim is that it might
> ship the CA certificate, followed by the server certificate.
>
> It would be very nice if someone could shed some light to this.
>
> TIA!
>
>
> Kind regards,
> --Toni++

Reply | Threaded
Open this post in threaded view
|

Re: ISAKMPD question: certificates shipped?

Toni Mueller-10
Hi Stu,

On Sun, Dec 04, 2011 at 11:24:24AM +0000, Stuart Henderson wrote:
> I don't see any code changes that would result in a different presentation
> order of certificates between 4.8 and 5.0..
>
> tcpdump traces of the negotiation from 4.8 and 5.0 might be useful, as might
> logs from the 3rd party and maybe isakmpd, though I'll be the first to admit
> isakmpd logging is pretty impenetrable; I find setting this on the command
> line gives a fairly good balance of information:

thank you for your statement.

Currently, the problem looks as follows:

If isakmpd is configured to use

[X509-Certificates]
Private-key-directory=  /etc/isakmpd/private


the documentation suggests that it will select one out of a set of keys
to use, depending on the actual configuration of the connections.

This does not seem to work with road warrior connections (=
Passive-Connections). In that case, the road warrior seems to get no
certificate, then decides that it's unsafe to connect to the gateway.
The desired behaviour is to ship the certificate which is appropriate
for this connection (it's configured as the local-id for those
connections, so...).

Specifying "Private-key = somefile.key" fixes this problem, but removes
the option to use several keys, which is bad.

There's another unresolved issue in this area, which I don't yet have
enough data to fathom.


Kind regards,
--Toni++