[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd & ca cert woes

To: <tech@openbsd.org>
Subject: isakmpd & ca cert woes
From: Damien Miller <djm@mindrot.org>
Date: Wed, 11 Jul 2001 12:43:14 +1000 (EST)

I am posting this for the benefit of the archives, in the hope that it
will save someone else from going through the hassle that I just had :)

When using certificate authentication in isakmpd, be care to ensure that
your system clocks are synchronised. Specifically, the clocks on the
machine which run isakmpd *must not* be running behind the clock on the
CA.

When the CA signs an x.509 certificate request, it includes a validity
period which has both a start and end time. Part of the certificate
verification process is a check of these times against the system clock.
If the clock is not within the validity period specified in the cert,
the signature will be ignored. This check is done silently by libcrypto.

The problem occurred when I was trying to set up an ipsec VPN between
two security gateways with certificate authentication. The configuration
had only certificates for the local ID and the ca stored on the security
gateways (i.e the responding host did not have a copy of the peer's
cert).

I couldn't for the life of me figure out why authentication was failing
(with error "rsa_sig_decode_hash: received CERT can't be validated"),
until I synced the clocks.

-d

-- 
| Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

Follow-Ups:
- Re: isakmpd & ca cert woes
  - From: Philipp Buehler <lists@fips.de>

Prev by Date: Re: Undocumented tail(1) behaviour
Next by Date: Re: Linux Socket Emulation
Prev by thread: naming pf
Next by thread: Re: isakmpd & ca cert woes
Index(es):
- Date
- Thread