[Openswan Users] osX and certificates

Bob Miller bob at computerisms.ca
Fri Jan 25 16:12:00 EST 2013

Greetings all,

I am seeking to increase my understanding.  I am not sure that I have a
specific question, but if I do it is what is the magic spell that makes
certificates work for mac computers connecting to openswan?  Background

I have an openswan server that currently supports windows road warriors
and a net-to-net tunnel to a satellite office.  Now, there are a handful
of mac computers that need to work as road warriors too.

In trying to get a mac to join, I have with reasonable confidence
narrowed the problem down to the certificates being the problem.  At
least I can connect when using PSK, and no amount of fiddling with the
ipsec.conf gets me past the MAIN_R2 stage.  I find no errors, just a
steady looping up to MAIN_R2 then start over till everything times out.

Some years ago, maybe 3 or 4, was the last time someone asked me to
connect a mac to openswan.  At that time I remember failing to get the
mac to join because of certificate problems, and afterwards deciding it
was time to get a handle on certificates.  I read all the documentation
and built myself an ssl.conf that was used to construct my current CA,
and subsequently I have been using that CA to sign certs for windows
roadwarriors, linux roadwarriors, net-to-net openswan installations,
email servers, web applications; where ever I have needed certs, my
setup has been working.  until I come full circle to putting macs
together with openswan.  

When I built my ssl system, I took into account the information on
Jacco's most excellent web pages, in particular regarding certificate
requirements for mac.  

-I use subjectAltName extensively for web pages that answer to more than
one name; the blackberry playbook browser, for example, will not work
with a certificate that does not have SANs correctly configured.  (Note:
I have also, according to Jacco's page, made a hosts entry so that I am
connecting to the host as it is listed in SAN on the firewall
certificate).  When I read the pem file for this firewall's certificate,
the SAN is clearly visible.

-There are no extendedKeyUsage settings in my ssl.conf.  When I search
the generated pem file, the string extendedKeyUsage is not found.  

-Jacco mentions that macs will not connect to certificates that present
a certificate containing a DN as its ID.  I do not remember this
particular requirement from when I set up my ssl, and I am having a
really hard time finding supporting documentation, but I think this
means that when I set the rightid in my ipsec.conf, it needs to match
the SAN and not the DN of the certificate.  If I am correct, that is
done, else hopefully someone will correct me.

So if I have addressed all the requirements for certificates to work
with a mac, why don't they work?  Clearly there is at least one piece of
information I am still missing to understand the problem.  If the
solution is embarrassingly simple, please embarrass me; it would be a
small price to pay for me to finally get my head wrapped around this.

In the hope that more people will read a smaller mail, I am neglecting
to include config files, log entries and such.  I will however readily
make such information available if anyone is willing to look at it.

If you are still reading: thank you
if you make comments:

Bob Miller      
867-334-7117 / 867-633-3760

More information about the Users mailing list