[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenBSD 3.3, isakmpd, certificate authentication; problems

  Good day, misc. We would appreciate some help, as we can not get
isakmpd working with certificate-based authentication. Apparently we
are doing something wrong, but can't figure out what it is. Description 
of the problem follows...

  Situation: isakmpd does not work with certificate authentication

  RTFM: done, repeatedly

  Error condition: Upon isakmpd start, certificates stored in 
    /etc/isakmpd/certs are read, but not verified. Error message for each
    certificate is the same: 
    'x509_read_from_dir: PEM_read_bio_X509 failed for %s'

  Long explanation and measures already ventured:

  We have created a working CA certificate. The command is simple, and
works as advertised in documentation:
  /usr/sbin/openssl req -x509 -newkey rsa:4096 -keyout ${CAKEY} \
    -out ${CACERT} -sha1 -days 1825 -config ${CACONF}

  We have generated a working host certificate. The commands work
very nicely.

  /usr/sbin/openssl req -out ${HOSTREQ} -keyout ${HOSTKEY} \
    -newkey rsa:1024 -sha1 -days 365 -config ${HOSTREQCONF}
  /usr/sbin/openssl ca -cert ${CACERT} -keyfile ${CAKEY} -days 365 \
    -md sha1 -out ${HOSTCERT} -in ${HOSTREQ} -name our_ca \
    -config ${HOSTCERTCONF}

  Patch the certificate with AltName. We use the certificate in 
/etc/ssl/newcerts, with latest sequence number. First certificate issued 
gets 01.pem. Using md5 to check, the two certificates are the same.

  /usr/sbin/certpatch -t ufqdn -i nowhere_(_at_)_devnull_(_dot_)_com_(_dot_)_invalid \
    -k ${CAKEY} /etc/ssl/newcerts/01.pem ${HOSTCERT}

  We add an alias to generated certificate.

  /usr/sbin/openssl x509 -in ${HOSTCERT} -out ${HOSTCERT} \
    -setalias "Just a string"

  After this stage we can verify that the certificate still is usable:

  /usr/sbin/openssl verify -purpose any -CAfile ${CACERT} ${HOSTCERT}

  That command returns an "OK" string. Insted of 'any', 'sslclient' or
'sslserver' can be used as well - they give the same result. We have
established that the certificate is valid. A client certificate is created
in the same way and it verifies as well.

  Then, the isakmpd part:

  /etc/isakmpd/isakmpd.policy has the following setup;

  KeyNote-Version: 2
  Authorizer: "POLICY"
  Licensees: "x509-base64:<CACERT's base64 part, in one line>"
  Conditions: app_domains == "IPsec policy" -> "true";

  We also tried to put the CA cert as lines, with \'s at end of lines.
This setup should, according to documentation, authorize all certificates
that are signed with ${CAKEY}. In earlier steps, we have already verified
that generated client certificates match against this root certificate.

  In isakpmd.conf we have the following lines after host specifications:

Policy-file=            /etc/isakmpd/isakmpd.policy
Retransmits=            3
Exchange-max-time=      120

CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
CRL-directory=          /etc/isakmpd/crls/
Private-key=            /etc/isakmpd/private/local.key

  ${CACERT} has been copied to /etc/isakmpd/ca/ca.crt, host certificates
have been copied to /etc/isakmpd/certs/ and ${HOSTKEY} has been copied to
/etc/isakmpd/private/local.key. One important thing: if ${CACERT} is copied
to Cert-directory, isakmpd gives an additional error on start.

  As OpenBSD has quite recently removed an important part of their 
online-documentation (section 13 of FAQ has been removed, partly because
the maintainer conceded that it was badly out of date), there is no real,
official documentation available. Man-pages for isakmpd, isakmpd.conf and
isakmpd.policy do not have working examples, nor the information required
for constructing a working setup. We _have_ managed to get isakmpd run 
with pre-shared secret, but automating the process by use of certificates 
just does not work.

  The question is: what are we doing wrong? Is there something that we have
missed, or is the support of certificates in isakmpd really this flaky?

  Any help is greatly appreciated. Any additional information we may have
omitted thus far is available, just ask. We have read practically every
document we could find, we even contacted the single person who had
found a solution (he switched over to FreeS/WAN, when isakmpd didn't work).

  Should we get this setup working, the results and steps *will* be posted
on this list. It appears so many others have fought with the same thing
before us, but no solution has been found - or at least documented.

  Thank you.

Mika Boström         \ /  "The Hell is empty,
Bostik_(_at_)_stinghorn_(_dot_)_com  X    and all the devils
Software slave       / \   are here." -W.S.

Visit your host, monkey.org