[Openswan Users] server certificate problem (ID_DER_ASN1_DN, subjectAltName, INVALID_ID_INFORMATION)
Paul Wouters
paul at xelerance.com
Mon Apr 6 21:17:43 EDT 2009
On Sat, 4 Apr 2009, Laurentiu Lazar wrote:
> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> NAT-T: floating to port 4500
> NAT-T connection has wrong interface definition IP:4500 vs IP:500
> NAT-T: using interface IFACE:4500
> received encrypted packet from SERVERIP:4500
> decrypting 1544 bytes using algorithm OAKLEY_3DES_CBC
> Main mode peer ID is ID_DER_ASN1_DN: '|'
> - This '|' seems strange to me. Now the server's certificate is
> listed. It has a "L2 - subject:" line that seeams OK, and after that:
> subject: ''
> - Now this seems strange to me. An empty subject?
>
> issuer: ... (OK)
> authkey: ... (OK)
> not before: ...
> current time: ...
> not after: ...
> valid certificate for ""
> - Empty again? After this follows the signature checking ended with:
>
> Public key validated
> we require peer to have ID 'CN=...', but peer declares 'P\016\303'
> complete state transition with (null)
> sending encrypted notification INVALID_ID_INFORMATION to SERVERIP:4500
>
> What the peer declares is "random", different on every certificate request.
>
> Listing the server certificate with "openssl x509 -text" I see that it has:
> - a good "Subject" line (what I have in rightid=CN=x.y.z)
> - X509v3 Subject Alternative Name: DNS: x.y.z (the same x.y.z)
Do a run with plutodebug=all and post that.
Paul
More information about the Users
mailing list