Re: [Ipsec-tools-devel] ipsec-tools 0.5 Beta 1 and Certificates

[Axel W. <Ax...@co...>]

Well :-)

I should really read the man pages again. I was expecting Debug2 in 
racoon.conf to do all what is needed for proper debug output. Doing so 
didn't give me the remote CERT and as Yvan asked for some info what 
checkpoint is actually sending I did it this way.

Also <g>, some times it is a good training to some C code reading again.

Regards,

Axel

Aidas Kasparas wrote:

> You don't need hacking. Run racoon with -d option and inspect syslog 
> file. It should say what kind of ID remote peer has offered.
>
> Axel Westerhold wrote:
>
>> Ok  here is what I did
>>
>> I checked the crypto_openssl.c and did a small change in coding
>>
>> x509 = mem2x509(cert);
>>        if (x509 == NULL)
>>                goto end;
>>
>> // +++ DTS DEBUG
>> plog(LLV_ERROR, LOCATION, NULL, "DTS DEBUG\n");
>> plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_get_x509text(cert));
>>
>>        gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
>>        if (gens == NULL)
>>                goto end;
>>
>> Actually I checked first where the error is occuring which was in 
>> gens=NULL.
>>
>> Then I added the logging (quick and dirty) to get the cert I received 
>> which is as follows (some modification on key and DN to make it 
>> unusable for what ever purpose)
>>
>> 2004-12-16 18:07:34: ERROR: Certificate:
>>    Data:
>>        Version: 3 (0x2)
>>        Serial Number: 10182 (0x27c6)
>>        Signature Algorithm: sha1WithRSAEncryption
>>        Issuer: O=fwwhf.xxx.de..nmydfw
>>        Validity
>>            Not Before: Jul 15 09:56:21 2004 GMT
>>            Not After : Jul 15 09:56:21 2009 GMT
>>        Subject: O=fwwhf.xxxx.de..nmydfw, CN=FWyyy VPN Certificate
>>        Subject Public Key Info:
>>            Public Key Algorithm: rsaEncryption
>>            RSA Public Key: (1024 bit)
>>                Modulus (1024 bit):
>>                    00:c1:e6:a4:e2:ba:90:2a:80:0c:f2:0d:89:04:cf:
>>                    bb:6b:3b:f5:05:0a:24:31:4f:57:99:c6:79:6a:ec:
>>                     <--- snip ---->
>>                    91:1a:6a:92:72:26:d4:46:b1:0f:fd:7d:06:5e:e6:
>>                    f1:6b:12:34:f3:be:70:49:f9:f5:68:13:aa:39:40:
>>                    75:29:3a:24:ab:16:09:c4:dd:7e:eb:ca:3f:eb:62:
>>                    d5:38:38:55:e2:8f:b2:f1:b7
>>                Exponent: 3 (0x3)
>>        X509v3 extensions:
>>            X509v3 CRL Distribution Points:
>>            URI:http://MGMT-WKH:18264/ICA_CRL3.crl
>>            DirName:/O=fwyyy.xxx.de..nmydfw/CN=ICA_CRL3
>>
>>            X509v3 Basic Constraints:
>>            CA:FALSE
>>            X509v3 Key Usage:
>>            Digital Signature, Key Encipherment
>>    Signature Algorithm: sha1WithRSAEncryption
>>        2a:67:bc:93:10:b7:9d:e3:1d:0e:b9:6d:ab:d7:7f:ae:d8:fc:
>>        ba:01:47:63:e3:4f:a7:b2:4c:18:e9:44:fe:a1:89:47:43:42:
>>        04:3a:35:0a:b9:94:af:cb:0a:b5:5d:3f:d3:47:a8:de:79:4f:
>>        <---snip --->
>>        73:4a:5e:79:94:3c:eb:f4:94:20:37:60:6d:c8:c7:18:d4:c9:
>>        5a:59:f0:4b:6e:7e:fb:b8:69:5a:09:e5:73:86:69:4e:1e:ab:
>>        5a:2a:2b:60:a3:b7:f6:fa:c8:65:96:7b:73:42:b8:bb:b3:33:
>>        73:fa:12:29:a3:02:cb:da:25:22:35:ac:27:0f:7e:e9:a4:99:
>>        e9:f9:5d:d2:cb:4b:20:c2:a5:b3:9d:4c:89:a5:33:99:b1:35:
>>        e6:df:d3:c8:fb:80:dc:a0:86:57:55:64:00:1c:6d:39:10:fd:
>>        6e:e4:30:d8
>>
>> As it seems to me the Subject is not a FQDN  or IP but I might just 
>> be wrong.
>>
>> Axel
>>
>>
>> VANHULLEBUS Yvan wrote:
>>
>>> On Thu, Dec 16, 2004 at 01:51:37PM +0100, Axel Westerhold wrote:
>>>  
>>>
>>>> Ok,
>>>>
>>>> that might make sense. As it seems I need to check what info a 
>>>> Checkpoint is sending. Thanks for the answer and I would definately 
>>>> like to test your patch.
>>>>   
>>>
>>>
>>>
>>> I just commited it, but could *not* make all required tests (as I
>>> don't have certificates with subjectaltname).
>>>
>>> I am interested in getting more informations about what a Checkpoint
>>> can send, and if it can be configured to send an ASN1DN identifier.
>>>
>>>
>>> Yvan.
>>>
>>>
>>> -------------------------------------------------------
>>> SF email is sponsored by - The IT Product Guide
>>> Read honest & candid reviews on hundreds of IT Products from real 
>>> users.
>>> Discover which products truly live up to the hype. Start reading 
>>> now. http://productguide.itmanagersjournal.com/
>>> _______________________________________________
>>> Ipsec-tools-devel mailing list
>>> Ips...@li...
>>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>>>  
>>>
>>
>

-- 
Axel Westerhold
Congos Inc.
Technical Lead
Tel: (+49) 5732 688040
Cell: (+49) 171 9754 756
PK: 1EF597FA