[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd not reading certs from directory

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: isakmpd not reading certs from directory
From: Infra <msg_(_at_)_waste_(_dot_)_org>
Date: Mon, 3 Mar 2003 18:14:09 -0600 (CST)

Greetings:

My ongoing battle to get certs to work needs help with the following:

Having no debug log of a successful negotiation, I found one posted at
http://www.vpnc.org/CertificatesTables/Firebox-OpenBSD-debug; here is
a portion relating to the reading of the local certificates:

163924.365786 Plcy 30 policy_init: initializing
isakmpd in free(): warning: chunk is already free.
isakmpd in free(): warning: chunk is already free.
163924.389321 Default policy_init: kn_add_assertion (0, 0x110180, 68,
ASSERT_FLAG_LOCAL) failed
163924.416636 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/ca/
163924.418767 Cryp 60 x509_read_from_dir: reading certificate ca.crt
163924.542891 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/certs/
163924.543327 Cryp 60 x509_read_from_dir: reading certificate
test-openbsd.crt
163924.598507 Cryp 70 x509_hash:
163924.599005 Cryp 70 09000000 300f310d 300b0603 55040a13 0456504e 43
163924.599218 Cryp 70 x509_hash_enter: cert 0x14c200 added to bucket 18
163924.599302 Cryp 70 x509_hash:
163924.599367 Cryp 70 02000000 74657374 2d6f7065 6e627364 2e76706e
632e6f72 67
163924.599406 Cryp 70 x509_hash_enter: cert 0x14c200 added to bucket 63
163924.599816 Plcy 90 x509_generate_kn: generating KeyNote policy for
certificate 0x14c200
163924.621295 Plcy 80 x509_generate_kn: added policy:
Authorizer: "DN:/O=VPNC/OU=Conformance testing root 1"
Licensees: "DN:/O=VPNC"
Conditions: GMTTimeOfDay >= "20010521192403" && GMTTimeOfDay <=
"20090807192403";

The important lines include the string "reading certificate"

     ----- ----- ----- ----- ----- ----- ----- ----- -----
Here is the -DA=99 log segment from our machine; note the lack of any
"reading certificate" string:


173856.182245 Plcy 30 policy_init: initializing
173856.183101 Misc 95 conf_get_str:
[General]:Policy-file->/etc/isakmpd/isakmpd.
policy
173856.221903 Misc 95 conf_get_str:
[X509-certificates]:CA-directory->/etc/isakm
pd/ca/
173856.223375 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/ca/
173856.247335 Misc 95 conf_get_str:
[X509-certificates]:Cert-directory->/etc/isakmpd/certs/
173856.248610 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/certs/
173856.271925 Misc 95 conf_get_str:
[X509-certificates]:CRL-directory->/etc/isakmpd/crls/
173856.272889 Cryp 40 x509_read_crls_from_dir: reading CRLs from
/etc/isakmpd/crls/
173856.295718 Misc 95 conf_get_str: [General]:Listen-on->172.16.5.1
173856.297963 Misc 95 conf_get_str: [General]:Listen-on->172.16.5.1
173856.300210 Misc 95 conf_get_str: [General]:Listen-on->172.16.5.1
173856.302303 Misc 95 conf_get_str: [General]:Listen-on->172.16.5.1
173856.304385 Misc 95 conf_get_str: [General]:Listen-on->172.16.5.1
173856.306526 Misc 95 conf_get_str: [General]:Listen-on->172.16.5.1
173856.309043 Trpt 70 transport_add: adding 0x2d50c0
173856.309914 Trpt 95 transport_reference: transport 0x2d50c0 now has 1
references


The CA certificate is in /etc/isakmpd/ca mode 0600 owned by root;
the 'local.crt' certificate is in /etc/isakmpd/certs mode 0600 owned by
root.

This is a diskless machine; filesystems are NFS mounted and the NFS server
does not provide locking.

I hope this symptom has some proabale causes which can be explored before
I have to pepper the code with printfs.

All help is much appreciated.

Michael Grigoni
Cybertheque Museum

Prev by Date: Re: request for hardware valid io port for the 3C509 ISA & PNPISA
Next by Date: isakmpd not reading certs from NFS dir
Previous by thread: Re: request for hardware valid io port for the 3C509 ISA & PNPISA
Next by thread: isakmpd not reading certs from NFS dir
Index(es):
- Date
- Thread

Visit your host, monkey.org