Mailing List Archive: vpnc: devel

vpnc 0.5.3_p449 hybrid-auth not working since merge of gnutls code

Index | Next | Previous | View Threaded

martin.dummer at gmx

Nov 19, 2009, 2:12 AM

Post #1 of 5 (2398 views)
Permalink

vpnc 0.5.3_p449 hybrid-auth not working since merge of gnutls code

Hello folks,

I use vpnc for quite a long time working well with hybrid auth. My (XXX-ed) config file is:

===========================================
IPSec ID swc.dft
IPSec obfuscated secret XXX
IPSec gateway XXX
Xauth username XXX
IKE Authmode hybrid
IKE DH Group dh2
CA-File /etc/vpnc/XXX.pem
DPD idle timeout (our side) 0
Debug 99

===========================================

Since the gentoo vpnc package switched from 0.5.3 to 0.5.3_p449 I cannot establish connections any more. The reason is the switch from openssl to gnutls code ( I have tested gnutls code before and found it not working but was too busy to report the problem).

So now I receive the following error Message when trying to establish a connection: "vpnc: certificate signer not found"

I looked into the sources and assumed the certificate file (pem-encoded) is not understood. Next try with the same cert in CER format gives the error message "vpnc: importing CA list (-34)".

Has someone an idea what to do?
I switch back to 0.5.3 to be able to work again, but I can do tests if someone has a good hint.

Bye,

Martin

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 19, 2009, 9:07 AM

Post #2 of 5 (2288 views)
Permalink

Re: vpnc 0.5.3_p449 hybrid-auth not working since merge of gnutls code [In reply to]

On Thu, 2009-11-19 at 11:12 +0100, Martin Dummer wrote:
> Hello folks,
>
> I use vpnc for quite a long time working well with hybrid auth. My (XXX-ed) config file is:
>
> ===========================================
> IPSec ID swc.dft
> IPSec obfuscated secret XXX
> IPSec gateway XXX
> Xauth username XXX
> IKE Authmode hybrid
> IKE DH Group dh2
> CA-File /etc/vpnc/XXX.pem
> DPD idle timeout (our side) 0
> Debug 99
>
> ===========================================
>
> Since the gentoo vpnc package switched from 0.5.3 to 0.5.3_p449 I cannot establish connections any more. The reason is the switch from openssl to gnutls code ( I have tested gnutls code before and found it not working but was too busy to report the problem).

Hmm, it would have helped if you had... we had at least two positive
reports that the gnutls code worked with peoples existing setups.

What architecture (ppc, ia32, x86-64, ppc64, arm, etc) are you running?

>
> So now I receive the following error Message when trying to establish a connection: "vpnc: certificate signer not found"
>
> I looked into the sources and assumed the certificate file (pem-encoded) is not understood. Next try with the same cert in CER format gives the error message "vpnc: importing CA list (-34)".
>
> Has someone an idea what to do?
> I switch back to 0.5.3 to be able to work again, but I can do tests if someone has a good hint.

Could you grab the SVN sources, build vpnc, and run 'make test' for me
to isolate whether it's something the testcase catches or not?

Dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

martin.dummer at gmx

Nov 19, 2009, 11:51 PM

Post #3 of 5 (2276 views)
Permalink

Re: vpnc 0.5.3_p449 hybrid-auth not working since merge of gnutls code [In reply to]

Am Donnerstag 19 November 2009 18:07:42 schrieb Dan Williams:
> > Since the gentoo vpnc package switched from 0.5.3 to 0.5.3_p449 I cannot establish connections any more. The reason is the switch from openssl to gnutls code ( I have tested gnutls code before and found it not working but was too busy to report the problem).
>
> Hmm, it would have helped if you had... we had at least two positive
> reports that the gnutls code worked with peoples existing setups.

Yes you're right... but you know.... sometimes you think somenone else will do the job but nobody does.... sorry for that.
I appreciate switching to gnutls, so we'll try to fix the problem.

>
> What architecture (ppc, ia32, x86-64, ppc64, arm, etc) are you running?
I use x86-64 (or amd64)

>
> Could you grab the SVN sources, build vpnc, and run 'make test' for me
> to isolate whether it's something the testcase catches or not?
>
Yes, I did.

"make test" runs fine:

./test-crypto test/cert.pem test/cert0.pem test/cert1.pem test/cert2.pem test/root.pem
Success

I don't fully understand what "test-crypto" does with the argument but I tried to append the CA cert file I need for my company's vpn connection and then I see

./test-crypto test/cert.pem test/cert0.pem test/cert1.pem test/cert2.pem test/root.pem /etc/vpnc/FTS_RootCA_Public.pem
Error verifying chain: certificate signer not found

This is the same error message than in the connection attempts.

Any other idea why I can try?

Martin

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 20, 2009, 10:52 AM

Post #4 of 5 (2285 views)
Permalink

Re: vpnc 0.5.3_p449 hybrid-auth not working since merge of gnutls code [In reply to]

On Fri, 2009-11-20 at 08:51 +0100, Martin Dummer wrote:
> Am Donnerstag 19 November 2009 18:07:42 schrieb Dan Williams:
> > > Since the gentoo vpnc package switched from 0.5.3 to 0.5.3_p449 I cannot establish connections any more. The reason is the switch from openssl to gnutls code ( I have tested gnutls code before and found it not working but was too busy to report the problem).
> >
> > Hmm, it would have helped if you had... we had at least two positive
> > reports that the gnutls code worked with peoples existing setups.
>
> Yes you're right... but you know.... sometimes you think somenone else will do the job but nobody does.... sorry for that.
> I appreciate switching to gnutls, so we'll try to fix the problem.

Thanks!

> >
> > What architecture (ppc, ia32, x86-64, ppc64, arm, etc) are you running?
> I use x86-64 (or amd64)
>
>
> >
> > Could you grab the SVN sources, build vpnc, and run 'make test' for me
> > to isolate whether it's something the testcase catches or not?
> >
> Yes, I did.
>
> "make test" runs fine:
>
> ./test-crypto test/cert.pem test/cert0.pem test/cert1.pem test/cert2.pem test/root.pem
> Success
>
> I don't fully understand what "test-crypto" does with the argument but I tried to append the CA cert file I need for my company's vpn connection and then I see

It checks that the code can verify a known good certificate chain.
cert.pem is a root cert, cert0.pem is signed by cert.pem, cert1.pem is
signed by cert0.pem, and cert2.pem is the server certificate signed by
cert1.pem. That ensures that we can verify a given certificate chain.

So if the test runs OK, we know the code isn't completely broken :)

> ./test-crypto test/cert.pem test/cert0.pem test/cert1.pem test/cert2.pem test/root.pem /etc/vpnc/FTS_RootCA_Public.pem
> Error verifying chain: certificate signer not found
>
> This is the same error message than in the connection attempts.

So that's not going to work because FTS_RootCA_Public.pem doesn't sign
any of the certificates in the testing chain. We'd need to grab the
certificate that the server sends down to you and verify *that*
certificate against FTS_RootCA_Public.pem to figure out whether (a) I've
screwed up the gnutls cert code, or (b) your sysadmin has the stuff
configured badly.

I'll work up a patch to dump out the VPN server certificate so that you
can use it with the test tool.

Basically, "certificate signer not found" means that a certificate
higher up the chain did not sign the certificate of the child you've
given it; it would mean that FTS_RootCA_Public.pem is not the direct
signer of your VPN server's certificate. Or that I've screwed up the
code.

BTW, does FTS_RootCA_Public.pem include multiple certificates?

Dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

martin.dummer at gmx

Nov 22, 2009, 3:30 AM

Post #5 of 5 (2273 views)
Permalink

Re: vpnc 0.5.3_p449 hybrid-auth not working since merge of gnutls code [In reply to]

Am Freitag 20 November 2009 19:52:47 schrieb Dan Williams:
>
> So that's not going to work because FTS_RootCA_Public.pem doesn't sign
> any of the certificates in the testing chain. We'd need to grab the
> certificate that the server sends down to you and verify *that*
> certificate against FTS_RootCA_Public.pem to figure out whether (a) I've
> screwed up the gnutls cert code, or (b) your sysadmin has the stuff
> configured badly.
>

Okay, understood.

> I'll work up a patch to dump out the VPN server certificate so that you
> can use it with the test tool.
>

Not necessary. I run the connection attempts with "debug 99" so all the certs can be found in the debug output.

> BTW, does FTS_RootCA_Public.pem include multiple certificates?
No.

The two connection attempts debug logs (one with working ssl code and one with new gnutls code) are identical up to "S4 AM_packet2"

In this "AM_packet2" there are 3 certificates in the debug output. I cut the hexdump out, converted it with a small perl script to DER format an the with "openssl" to PEM format. These 3 certificates are named c1-1.pem / c1-2.pem / c1-3.pem. The certificate referenced in the config file is equal to c1-1.pem

When I inspect the certs with a text editor I can read
in c1-3.pem: X509v3 Authority Key Identifier: keyid:08:F5:C8:6A:BF:80:E3:7B:50:C4:39:F4:07:98:46:E8:6D:7E:97:A8
and in c1-2.pem the matching X509v3 Subject Key Identifier: 08:F5:C8:6A:BF:80:E3:7B:50:C4:39:F4:07:98:46:E8:6D:7E:97:A8
while c1-2.pem has X509v3 Authority Key Identifier: keyid:14:75:E2:57:B6:15:37:15:80:2A:97:E5:51:48:65:AC:CF:86:90:CB
which is found in c1-1.pem and in FTS_RootCA_Public.pem as X509v3 Subject Key Identifier.

I'm really not a cryptography expert, but as much as I understand this certificates are chained together.

Now I run
test-crypto c1-1.pem c1-2.pem c1-3.pem
Error verifying chain: certificate signer not found

and
test-crypto FTS_RootCA_Public.pem c1-2.pem c1-3.pem
Error verifying chain: certificate signer not found

For further researching the certs are attached.

Any idea what to try next ?

Martin

Attachments:

FTS_RootCA_Public.pem (4.27 KB)

c1-2.pem (4.94 KB)

c1-1.pem (4.27 KB)

c1-3.pem (4.62 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads