On 1/15/2022 9:25 AM, Mirsad Goran Todorovac wrote:
On 1/14/2022 10:01 PM, Paul Wouters wrote:
2. I would like to test the interoperability of ECDSA certs with
IKEv2, Win 10, Android and maybe even iOS devices when I get some
for testing ... also a Linux desktop client comes to mind ... but I
miss the reference material and Google is not revealing much ...
It works the same as RSA certs if every aspect other than generating the
certificates with the other algorithm, and perhaps ensuring the authby=
is using "ecdsa" (although the default should already include that and
you should be able to omit it)
FYI, I have noticed that I generated RSA CA and server cert and ECDSA
client certs in the previous email. To fix that, I have repeated the
entire installation with this fixed script, but the same result: Win 10
gives wrong cert, or no cert if ECDSA cert is alone in the store. RSA
certs in the same place work fine.
The script:
#!/bin/bash
# mtodorov 2022-01-15
export PARM='--keyUsage digitalSignature,keyEncipherment
--extKeyUsage serverAuth,clientAuth'
rm /var/lib/ipsec/nss/cert9.db /var/lib/ipsec/nss/key4.db
ipsec initnss
rm -r tmpdb/
mkdir ${HOME}/tmpdb
echo "Initializing cert db:"
certutil -N -d sql:${HOME}/tmpdb
echo "Creating CA cert:"
certutil -S -x -n "ALU-UNIZG CA" -s "O=ALU-UNIZG,CN=ALU-UNIZG CA" -k
ec -q secp384r1 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2
echo "Creating server cert:"
certutil -S -c "ALU-UNIZG CA" -n "vpn.alu.hr" -s
"O=ALU-UNIZG,CN=vpn.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "vpn.alu.hr"
echo "Creating client certs:"
certutil -S -c "ALU-UNIZG CA" -n "pc-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=pc-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "pc-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "laptop-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=laptop-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "laptop-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "phone-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=phone-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "phone-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "tablet-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=tablet-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "tablet-mtodorov.alu.hr"
certutil -L -d sql:${HOME}/tmpdb/
pk12util -o pc-mtodorov.alu.hr.p12 -n "pc-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o laptop-mtodorov.alu.hr.p12 -n "laptop-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o phone-mtodorov.alu.hr.p12 -n "phone-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o tablet-mtodorov.alu.hr.p12 -n "tablet-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o vpn.alu.hr.p12 -n "vpn.alu.hr" -d sql:${HOME}/tmpdb/
ipsec import vpn.alu.hr.p12
chmod 444 *-mtodorov.alu.hr.p12
mv *-mtodorov.alu.hr.p12 /srv/www/domac.alu.hr/vpn/ec
I may be doing some (to you) obvious error again. However, Android won't
even connect to IKEv2 if ecdsa is even one of the options in authby=, it
has to be authby=rsa-sha1 alone. :(
The next step should probably be to try strongswan client, but I tried
to avoid that.
The best way would be to have RSA and EC certificates coexist as auth
options in the database, so some clients would use RSA auth and those
who know EC. But I don't know how to make that work in a single NSS
certificate store.
Kind regards,
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
