[Openswan Users] Apple macOSX 10.4.3: success!

Jacco de Leeuw jacco2 at dds.nl
Mon Nov 14 20:52:46 CET 2005 

Paul Wouters wrote:

> I just installed the apple tiger update (10.4.3). Although the error message for
> trying to select an X.509 certificate instead of presharedkey has improved from
> "error no valid certificate found" to "no valid certificate found, use keychain
> access to import one", I am still unable to get X.509 certificates to work on
> MacOSX.

I managed to get it working. I can import a 'machine certificate' from a
PKCS#12 file and set up an L2TP/IPsec connection from Tiger to Openswan.

I have only tried it on 10.4.3 though, so I don't know if also works on
previous versions of Tiger. I did not want to downgrade to find out.
(Is there anyone who is willing to try it on 10.4.0 - 10.4.2?)

There are two things that you need to keep in mind. The first one is that the
ID in the Openswan server certificate *must* be a hostname (type FQDN) or
an IP address (type IPV4_ADDR). For example, if you use OpenSSL you
need something like: subjectAltName=DNS:soggy.strongsec.com or
subjectAltName=IP:160.85.22.3 in your openssl.cnf when you generate the
server certificate. This hostname or IP address must also match the
"Server Address:" in the 'Internet Connect' application.

The other crucial thing is that you need Administrator privileges to access
the 'System' keychain. If you are logged in as a normal user you can only
import certificates to the 'Login' keychain. When you then try to select a
machine certificate in 'Internet Connect' you get this error:

     No machine certificates found.

     Certificate authentication cannot be used because your keychain does not
     contain any suitable certificates. Use Keychain Access to import the
     appropriate certificates into your keychain. If you do not have the
     certificates required for authentication, contact your network
     administrator.

The PKCS#12 file can be imported through the command-line or the Tiger GUI
(with some command-line assistance). For the details see my page at:
http://www.jacco2.dds.nl/networking/freeswan-panther.html#Certs

I guess the only remaining problem is the bug in Apple's racoon where they
swapped the NAT-D hashs: http://bugs.xelerance.com/view.php?id=462
Peter Van der Beken made a workaround but it is not in the recently
released Openswan 2.4.2. Of course you could wait for Apple to get
their act together but it took them almost 2 years to add certificate
support so I wouldn't hold my breath...

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck

More information about the Users mailing list