On 2015-08-19, Reyk Floeter <[email protected]> wrote: > On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote: >> On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: >> > On Tue, Aug 18, 2015 at 02:26:29PM +0000, Jona Joachim wrote: >> > > Hi, >> > > I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between >> > > two OpenBSD boxes running a recent amd64 snapshot. The client is behing >> > > a NAT. >> > > The setup works with a PSK but I cannot make it work with RSA >> > > certificates. No matter what I tried, the client seems to fail >> > > connecting with: >> > > ca_getreq: no valid local certificate found >> > > >> > > I turn to the mailing list to see if anybody can point me into the right >> > > direction. >> > > >> > > I loosely followed the following guide: >> > > http://puffysecurity.com/wiki/openikedoffshore.html >> > > I will try to shorten the command output to make it more readable. >> > > >> > > There is an OpenSSL error during the creation of the CA concerning a >> > > missing element in openssl.cnf. I did not modify openssl.cnf. >> > > >> > > On the server side I did the following: >> > > >> > > # ikectl ca ikeca create >> > > [...] >> > > Signature ok >> > > subject=/C=NL/CN=ikeca/[email protected] >> > > Getting Private key >> > > Using configuration from /etc/ssl/openssl.cnf >> > > variable lookup failed for ca::default_ca >> > > 7504668282756:error:0E06D06C:configuration file >> > > routines:NCONF_get_string:no >> > > value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca >> > > name=default_ca >> > > >> > >> > It seems that the changes in LibreSSL (or newer OpenSSL before the >> > fork) broke some things in ikectl. >> > >> > Specifically, the possibility to overwrite variables like CERTIP or >> > CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be >> > broken; or not longer supported because of security concerns. >> > >> > Your log file gives a hint that the default "CERTFQDN = nohost.nodomain" >> > value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead >> > of the CERTFQDN overwrite from the environment (as set by ikectl): >> > >> > > ca_getreq: found CA /C=NL/CN=ikeca/[email protected] >> > > ca_x509_subjectaltname: FQDN/nohost.nodomain >> > > ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched >> > > ca_getreq: no valid local certificate found >> > >> > If libressl no longer supports $ENV in the .cnf files, we have to find >> > another way, eg. by generating and using a .cnf file for each >> > certificate. >> >> LibreSSL purposefully removed support for environment variables in >> http://marc.info/?l=openbsd-cvs&m=142876823016723&w=2 >> http://marc.info/?l=openbsd-cvs&m=142876823016723&w=2 >> >> So another way is indeed needed. > > In this case, "LibreSSL" was Theo who unintentionally broke ikectl. > > I attached a diff that generates new .cnf files by expanding the > variables in the source .cnf files and generating target .cnf files. > It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), > but you/we should install ikeca.cnf to /etc/ssl/ by default.
The patch fixes certificate generation for me. SubjectAltName gets set correctly and iked is happy. It is unfortunate that openssl does not accept SANs as command line arguments. I like the nice stringe expansion solution. Maybe libtls will wrap this up nicely, making it possible to generate the certificates through the API.
