Hi Paul, As asked please find attachment having the output of the command you asked to run, to check certificate content.
Thanks in advance, Mayur ________________________________ From: Paul Wouters <p...@nohats.ca> Sent: 12 October 2023 21:56 To: Mayur Nakade <mayur.nak...@radisys.com> Cc: swan@lists.libreswan.org <swan@lists.libreswan.org> Subject: Re: [Swan] IKE failure/Issue with Subject Alternative Name The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. On Thu, 12 Oct 2023, Paul Wouters wrote: > It does strongly suggest you do not have a subjectAltName extension, and > trusting CN= is no longer considered secure. I should clarify this: https://datatracker.ietf.org/doc/html/rfc2818#section-3.1 If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Mostly because of the WebPKI, and things like ACME that can authenticate a DNS name or IP in a subjectAltName, but not the random data within a CN=. Also because of multiple SAN entries, the CN= is kind of losing its meaning. In the context of enduser certificates, it is obviously still very valid and also secure. Sorry for the confusion. Paul
HostB certificate as below -bash-4.2# openssl x509 -in hostB.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 76:1e:9d:b6:b6:33:38:0b:c2:6d:d7:0a:90:fd:e1:0f:46:06:38:40 Signature Algorithm: sha256WithRSAEncryption Issuer: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = ca.cert.com Validity Not Before: Oct 11 11:39:41 2023 GMT Not After : Oct 10 11:39:41 2024 GMT Subject: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = hostB.cert.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:d5:e3:fa:19:a1:cc:8f:22:57:6d:fa:2e:8c:51: 12:ea:a4:e5:c4:af:8f:12:3d:97:98:6d:a4:01:a1: 94:3a:5e:1e:8a:2c:78:1a:09:e4:02:6b:a1:26:f6: 6c:47:13:6a:2e:ef:55:db:3b:89:10:72:a5:da:38: 45:ad:d3:ba:c9:72:4c:22:8f:a1:12:b0:23:ff:a3: 55:99:c8:b9:7d:bb:12:c8:57:91:8f:f3:40:ec:4f: 71:83:20:fa:e9:ba:9f:2e:5e:25:b9:9e:07:61:ac: de:30:81:ad:4a:fc:f0:67:af:c6:b3:8b:00:79:f9: 3c:57:b3:4b:6a:d2:31:74:7e:df:ec:9b:32:35:b8: 99:76:c5:9d:71:c7:b9:84:43:e4:40:1a:33:27:0f: c2:e2:9a:5a:f1:9c:28:31:2b:37:66:bd:b5:d5:fa: 91:cb:c6:8f:bd:fe:31:3b:43:19:87:d9:b1:43:9b: 61:f4:7f:0d:d7:f9:d2:67:36:bf:4a:0c:e3:59:96: 58:73:87:8e:0d:6c:e8:48:95:fe:39:7f:ae:7d:3a: f2:c6:55:15:61:52:e5:d5:ed:ed:3c:4a:a5:cd:d3: dc:8a:92:c1:07:6f:fe:db:ae:21:82:ec:e8:51:33: 4d:97:6d:1d:2f:dd:f4:fa:6f:8a:91:dc:21:66:a2: 8f:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:hostB.cert.com, DNS:www.hostB.cert.com, IP Address:10.20.20.3 Signature Algorithm: sha256WithRSAEncryption 97:4d:b9:0d:61:aa:94:c9:ba:38:0f:ad:62:93:2e:30:ee:83: f6:bd:f6:6c:90:f0:df:f9:6e:c1:78:a3:55:ad:0f:d8:26:6a: e0:09:ab:f7:3a:ab:7f:06:58:16:a8:5a:8a:48:14:9b:0e:4c: 6a:e9:82:86:05:ee:73:9f:e9:ef:40:93:e6:93:67:92:53:49: 0a:89:fc:0d:6f:06:61:17:29:5b:53:12:ab:aa:47:6e:3e:20: 23:0c:dc:e0:84:cf:e8:0a:3b:60:a4:73:a4:21:50:a9:f5:3e: dd:70:8a:a0:12:6d:94:da:3c:dc:8f:8f:fc:54:ae:ce:ee:98: c6:54:8a:21:8e:43:b8:8c:bc:ba:26:c6:e2:7b:9a:09:70:4b: 0e:4f:04:28:18:d4:e2:9e:ce:9f:c2:d7:ae:7d:52:d3:0b:70: 98:cc:39:c1:dd:aa:f9:8b:d8:19:be:6e:44:72:0b:19:c7:27: 02:ac:9a:9c:30:16:ac:83:96:97:59:4e:bf:f2:c2:47:16:59: 3e:e3:8c:01:47:35:7b:8d:b3:84:ae:0b:68:7d:07:8d:82:2b: 9a:b1:e2:c6:07:ef:92:9a:6f:61:6b:03:3f:8f:eb:f7:09:28: b5:66:76:77:ed:49:17:56:ef:91:fc:f3:da:0d:5e:49:9d:a2: 5a:5a:5f:6e -------------------------------------------------------------------------------------------------------------------------------------------- CA certificate of hostB as below -bash-4.2# openssl x509 -in CA.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: c7:6c:b5:9f:76:01:0f:f1 Signature Algorithm: sha256WithRSAEncryption Issuer: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = ca.cert.com Validity Not Before: Oct 11 04:47:29 2023 GMT Not After : Oct 10 04:47:29 2024 GMT Subject: C = IN, ST = karnataka, L = Bengaluru, O = rsys, OU = r&d, CN = ca.cert.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c7:47:67:fe:bd:d6:89:82:2b:9e:71:49:89:ed: 62:b9:7b:31:1b:ea:2d:7f:89:c9:31:21:5d:f2:fd: 3a:93:d4:f9:f2:ff:66:51:e2:ea:73:2c:94:ca:70: bc:b3:36:54:fc:6f:03:0e:0a:00:57:57:8a:41:87: 2d:52:31:d7:fc:64:bd:b4:55:25:d8:f6:2c:5f:dc: b9:17:09:c0:c2:6f:46:4d:fc:18:b5:93:4b:97:b8: c5:d0:03:16:87:a9:bc:bb:a3:e7:80:36:ed:4a:d2: 92:88:03:f1:25:b4:72:d6:70:01:7d:cf:34:e1:5a: f4:27:a9:3e:d7:be:99:d3:1a:db:a2:a8:3c:0e:fb: 4b:f1:43:d1:79:17:fc:7e:1a:e7:0a:54:0f:6b:bc: b5:30:4a:29:4b:d0:55:68:e4:89:77:87:39:04:1f: d6:f9:f0:35:a2:3c:7d:de:99:c7:44:0a:77:e0:6c: b9:34:87:4c:59:a8:f6:8c:10:d8:23:a0:21:7f:c1: 0e:c7:88:4e:79:e1:23:fd:33:65:98:ce:cc:d7:25: 85:64:32:b2:36:a2:55:36:38:13:ef:9e:08:b1:19: d2:cc:e6:30:2d:5e:27:1e:c2:c7:30:aa:ed:22:bb: f9:e0:3f:43:b4:1b:41:4d:ae:76:37:b8:95:a8:a2: fd:d3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: D2:0E:EE:8F:4F:2C:C3:9E:39:9B:35:48:71:38:C1:66:5D:A3:2C:78 X509v3 Authority Key Identifier: keyid:D2:0E:EE:8F:4F:2C:C3:9E:39:9B:35:48:71:38:C1:66:5D:A3:2C:78 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption a9:b7:8e:57:a2:c1:c9:4f:4b:04:84:92:34:f1:46:d8:28:b8: f4:f6:b4:ea:fe:67:c0:09:96:d4:26:fb:69:43:89:77:5a:fb: 5e:c6:38:53:af:a7:d7:ad:50:ed:f4:f0:bb:16:d6:03:18:2c: a3:e4:b4:a5:a0:23:fd:40:6d:47:14:7e:2e:d1:9c:a7:12:e5: ca:80:2f:81:88:80:fa:13:91:b2:82:c8:c1:77:95:70:fc:0d: ec:86:9e:e3:80:99:64:a3:c2:2d:45:8e:24:02:79:81:33:d5: 0d:6d:b9:e1:e9:57:ac:69:e5:7c:63:5b:68:4f:2e:3f:85:58: e9:88:06:11:e2:6d:83:c8:cf:65:e0:f8:16:f3:a5:f2:4d:bf: 28:0b:22:97:f7:a5:bd:8e:66:21:bc:83:90:da:c9:09:40:d4: 3c:d9:4b:5d:1c:22:ff:79:00:04:d3:de:9a:a6:66:a6:52:e6: 0f:29:cf:d6:48:d1:e5:7d:ab:d9:58:8d:2c:40:86:0f:c7:6f: eb:45:e6:cf:3e:dc:21:5d:56:5f:ff:89:cc:6c:23:69:46:18: 8e:5f:a7:ab:89:8e:14:83:a7:0d:d1:08:0b:b5:a8:b2:60:32: 9e:c3:5f:82:a1:70:73:ff:a2:c6:88:a9:6b:48:c1:a0:8d:e6: 8e:f5:b2:4e
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan