Monday, December 13, 2021

Re: did 70-006_x509 break ikectl ca ?

On Sun, Dec 12, 2021 at 10:01:20PM +0100, Harald Dunkel wrote:
> Hi folks,
>
> since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters
> (2 hosts on each end, carp interface, passive by default, managed via
> sasyncd) appears to be broken. /var/log/messages says
>
> Dec 12 21:40:28 gate5a iked[57676]: spi=0x5a7c2732b4b355e6: ikev2_dispatch_cert: peer certificate is invalid
>
> certificates have been generated using ikectl ca.
>
> How comes? I haven't changed the ca or the ike configuration since
> 6.8.
>
> Unfortunately rolling back the syspatch or issuing new certificates
> did not help. I am stuck and desperate.
>
>
> Every helpful comment is highly appreciated.
>
> Harri

Hi Harald,

i haven't heard of any problems with the syspatch you mention and I didn't
manage to reproduce your problem on my 7.0 machine. From your description
I'm assuming all four machines are running syspatched 7.0.

Some ideas:
- to verify that this is a libcrypto problem, try
'openssl verify -CAfile /path/to/ca /path/to/cert' and see if still fails.
- You are saying newly generated certs don't work. Did you modify
'/etc/ssl/ikeca.cnf'? If yes, see if it works with the original config.
- This is just a guess, but there were a several changes in recent libcrypto
versions that made the certificate parsing stricter. Does your cert maybe
have multiple extensions of the same type (e.g. multiple subjectAltNames)?

This is all I can say without seeing the actual certificates and/or iked log.

- Tobias

No comments:

Post a Comment