On 1/14/2022 10:01 PM, Paul Wouters wrote:
2. I would like to test the interoperability of ECDSA certs with
IKEv2, Win 10, Android and maybe even iOS devices when I get some for
testing ... also a Linux desktop client comes to mind ... but I miss
the reference material and Google is not revealing much ...
It works the same as RSA certs if every aspect other than generating the
certificates with the other algorithm, and perhaps ensuring the authby=
is using "ecdsa" (although the default should already include that and
you should be able to omit it)
Unfortunately, this did not work out right. I have created ECDSA certs,
but Windows 10 native client doesn't see the ecdsa cert in the store, it
offers the cert for another VPN instead.
Note, I was trying to log into the ALU IKEv2 VPN, and it had offered the
laptop-mtodorov.grf.hr cert.
I can't seem to see a way out of this.
Here is the session log if you want to see for yourself:
https://domac.alu.hr/mtodorov/ikev2-20220115-ecdsa-01.log
What I did was basically this (I tried automating those painstaking
menus of certutil for so many certs issued again and again):
root@domac:~# cat gencerts-ecdsa-alu.sh
#!/bin/bash -f
# mtodorov 2022-01-15
export PARM='--keyUsage digitalSignature,keyEncipherment
--extKeyUsage serverAuth,clientAuth'
rm /var/lib/ipsec/nss/cert9.db /var/lib/ipsec/nss/key4.db
ipsec initnss
rm -r tmpdb/
mkdir ${HOME}/tmpdb
echo "Initializing cert db:"
certutil -N -d sql:${HOME}/tmpdb
echo "Creating CA cert:"
certutil -S -x -n "ALU-UNIZG CA" -s "O=ALU-UNIZG,CN=ALU-UNIZG CA" -k
rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2
echo "Creating server cert:"
certutil -S -c "ALU-UNIZG CA" -n "vpn.alu.hr" -s
"O=ALU-UNIZG,CN=vpn.alu.hr" -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb
-t ",," ${PARM} -8 "vpn.alu.hr"
echo "Creating client certs:"
certutil -S -c "ALU-UNIZG CA" -n "pc-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=pc-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "pc-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "laptop-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=laptop-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "laptop-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "phone-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=phone-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "phone-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "tablet-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=tablet-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "tablet-mtodorov.alu.hr"
certutil -L -d sql:${HOME}/tmpdb/
pk12util -o pc-mtodorov.alu.hr.p12 -n "pc-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o laptop-mtodorov.alu.hr.p12 -n "laptop-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o phone-mtodorov.alu.hr.p12 -n "phone-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o tablet-mtodorov.alu.hr.p12 -n "tablet-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o vpn.alu.hr.p12 -n "vpn.alu.hr" -d sql:${HOME}/tmpdb/
ipsec import vpn.alu.hr.p12
The same method works a OK with RSA certs, so I suppose there is
something wrong in the way Windows 10 selects certificates, or I was
creating in making things fail ...
Any help would be appreciated.
I would love to see EC certs work, for I believe they are better for
mobile devices.
Kind regards,
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
