[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(racoon 807) racoon fails to get the subjectName of the peers certificate
- To: email@example.com
- Subject: (racoon 807) racoon fails to get the subjectName of the peers certificate
- From: Roland Dirlewanger <Roland.Dirlewanger@dr15.cnrs.fr>
- Date: Thu, 14 Oct 2004 23:21:02 +0200
- Delivered-to: firstname.lastname@example.org
- Delivered-to: email@example.com
- Delivered-to: firstname.lastname@example.org
- Reply-to: email@example.com
- Sender: firstname.lastname@example.org
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
I'm using ipsec-tools 0.3.3 on a Linux Fedora Core 2 box. I tried to
setup racoon in order to accept road-warriors connexions from Windows XP
or 2000 clients. The clients authenticate themselves using X509
When I connect from a Windows host, the ISAKMP-SA cannot be established.
It fails with the following message :
2004-10-14 21:55:09: ERROR: 15556:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong [three more lines follow]
2004-10-14 21:55:09: ERROR: failed to get subjectName
I tried to find out why the certificates sent by the Windows boxes
cannot be decoded by racoon. I added the following code to the function
mem2x509 in crypto_openssl.c in order to dump the client certificate
into a file /tmp/cert :
int fd = creat("/tmp/cert", 0x644);
write(fd, cert->v, cert->l);
and tried again.
I watched through the resulting /tmp/cert file using "openssl asn1parse
-inform der < /tmp/cert". I noticed that /tmp/cert does not containg an
X509 certificate but a PKCS#7 object which is in fact, the certificate
chain leading to the certificate of the Windows machine.
It seems that racoon is really expecting a single certificate sent by
the peer and cannot handle a PKCS#7 certificate chain. Note that I been
been using the very same certificates in order to setup road-warrior
connexions from Windows to FreeSwan for a more than a year.
Is there something I can configure either on WIndows or on racoon.conf
in order to make racoon work with my certificates ?
Thank you very much in advance.
Roland Dirlewanger <Roland.Dirlewanger@dr15.cnrs.fr>
CNRS - Délégation Aquitaine et Poitou-Charentes
Esplanade des Arts et Métiers - BP 105
33402 TALENCE CEDEX
Tél: 05 57 35 58 52, Fax: 05 57 35 58 01