[Openswan Users] osX and certificates
bob at computerisms.ca
Fri Jan 25 16:12:00 EST 2013
I am seeking to increase my understanding. I am not sure that I have a
specific question, but if I do it is what is the magic spell that makes
certificates work for mac computers connecting to openswan? Background
I have an openswan server that currently supports windows road warriors
and a net-to-net tunnel to a satellite office. Now, there are a handful
of mac computers that need to work as road warriors too.
In trying to get a mac to join, I have with reasonable confidence
narrowed the problem down to the certificates being the problem. At
least I can connect when using PSK, and no amount of fiddling with the
ipsec.conf gets me past the MAIN_R2 stage. I find no errors, just a
steady looping up to MAIN_R2 then start over till everything times out.
Some years ago, maybe 3 or 4, was the last time someone asked me to
connect a mac to openswan. At that time I remember failing to get the
mac to join because of certificate problems, and afterwards deciding it
was time to get a handle on certificates. I read all the documentation
and built myself an ssl.conf that was used to construct my current CA,
and subsequently I have been using that CA to sign certs for windows
roadwarriors, linux roadwarriors, net-to-net openswan installations,
email servers, web applications; where ever I have needed certs, my
setup has been working. until I come full circle to putting macs
together with openswan.
When I built my ssl system, I took into account the information on
Jacco's most excellent web pages, in particular regarding certificate
requirements for mac.
-I use subjectAltName extensively for web pages that answer to more than
one name; the blackberry playbook browser, for example, will not work
with a certificate that does not have SANs correctly configured. (Note:
I have also, according to Jacco's page, made a hosts entry so that I am
connecting to the host as it is listed in SAN on the firewall
certificate). When I read the pem file for this firewall's certificate,
the SAN is clearly visible.
-There are no extendedKeyUsage settings in my ssl.conf. When I search
the generated pem file, the string extendedKeyUsage is not found.
-Jacco mentions that macs will not connect to certificates that present
a certificate containing a DN as its ID. I do not remember this
particular requirement from when I set up my ssl, and I am having a
really hard time finding supporting documentation, but I think this
means that when I set the rightid in my ipsec.conf, it needs to match
the SAN and not the DN of the certificate. If I am correct, that is
done, else hopefully someone will correct me.
So if I have addressed all the requirements for certificates to work
with a mac, why don't they work? Clearly there is at least one piece of
information I am still missing to understand the problem. If the
solution is embarrassingly simple, please embarrass me; it would be a
small price to pay for me to finally get my head wrapped around this.
In the hope that more people will read a smaller mail, I am neglecting
to include config files, log entries and such. I will however readily
make such information available if anyone is willing to look at it.
If you are still reading: thank you
if you make comments:
867-334-7117 / 867-633-3760
More information about the Users