Project

General

Profile

Issue #1180

Android client supports pan-domain certificate ?

Added by ballack W about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
android
Affected version:
Resolution:
Duplicate

Description

Hello-
I built a pan-domain certificate * .zhiben.info, and import certificates to android phone, strongswan android clients select this certificate.
Server address 192.168.0.10, I modified the android hosts file, 192.168.0.10 point test.zhiben.info, the connection fails. Logs are shown below.
What's the problem of certificate, or the client does not support pan-domain certificate?
However, this certificate can be connected in win7 system is successful.

android client log show:
Oct 28 13:51:52 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3dr1, Linux 3.10.28-ge1fe054, armv7l)
Oct 28 13:51:53 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Oct 28 13:51:53 00[JOB] spawning 16 worker threads
Oct 28 13:51:53 11[IKE] initiating IKE_SA android3 to?192.168.0.10
Oct 28 13:51:53 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 28 13:51:53 11[NET] sending packet: from?192.168.0.16160613 to?192.168.0.10500 (1012 bytes)
Oct 28 13:51:53 09[NET] received packet: from?192.168.0.10500 to?192.168.0.16160613 (448 bytes)
Oct 28 13:51:53 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Oct 28 13:51:53 09[IKE] faking NAT situation to enforce UDP encapsulation
Oct 28 13:51:53 09[IKE] sending cert request for "C=CN, O=zhiben, CN=*.zhiben.info"
Oct 28 13:51:53 09[IKE] establishing CHILD_SA android
Oct 28 13:51:53 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 28 13:51:53 09[NET] sending packet: from?192.168.0.16144471 to?192.168.0.104500 (524 bytes)
Oct 28 13:51:53 13[NET] received packet: from?192.168.0.104500 to?192.168.0.16144471 (544 bytes)
Oct 28 13:51:53 13[ENC] parsed IKE_AUTH response 1 [ EF ]
Oct 28 13:51:53 13[ENC] received fragment #1 of 3, waiting for complete IKE message
Oct 28 13:51:53 05[NET] received packet: from?192.168.0.104500 to?192.168.0.16144471 (544 bytes)
Oct 28 13:51:53 05[ENC] parsed IKE_AUTH response 1 [ EF ]
Oct 28 13:51:53 05[ENC] received fragment #2 of 3, waiting for complete IKE message
Oct 28 13:51:53 04[NET] received packet: from?192.168.0.104500 to?192.168.0.16144471 (320 bytes)
Oct 28 13:51:53 04[ENC] parsed IKE_AUTH response 1 [ EF ]
Oct 28 13:51:53 04[ENC] received fragment #3 of 3, reassembling fragmented IKE message
Oct 28 13:51:53 04[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 28 13:51:53 04[IKE] received end entity cert "C=CN, O=zhiben, CN=*.zhiben.info"
Oct 28 13:51:53 04[CFG] ? using trusted certificate "C=CN, O=zhiben, CN=*.zhiben.info"
Oct 28 13:51:53 04[IKE] signature validation failed, looking for another key
Oct 28 13:51:53 04[CFG] ? using certificate "C=CN, O=zhiben, CN=*.zhiben.info"
Oct 28 13:51:53 04[CFG] ? using trusted ca certificate "C=CN, O=zhiben, CN=*.zhiben.info"
Oct 28 13:51:53 04[CFG] ? reached self-signed root ca with a path length of 0
Oct 28 13:51:53 04[IKE] authentication of 'C=CN, O=zhiben, CN=*.zhiben.info' with RSA signature successful
Oct 28 13:51:53 04[CFG] constraint check failed: identity 'test.zhiben.info' required?
Oct 28 13:51:53 04[CFG] selected peer config 'android' inacceptable: constraint checking failed
Oct 28 13:51:53 04[CFG] no alternative config found
Oct 28 13:51:53 04[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 28 13:51:53 04[NET] sending packet: from?192.168.0.16144471 to?192.168.0.104500 (76 bytes)


Related issues

Is duplicate of Issue #629: Wildcards certs not accepted by Android clientClosed

History

#1 Updated by Tobias Brunner about 5 years ago

  • Is duplicate of Issue #629: Wildcards certs not accepted by Android client added

#2 Updated by Tobias Brunner about 5 years ago

  • Status changed from New to Closed
  • Affected version deleted (5.2.1)
  • Resolution set to Duplicate

Also available in: Atom PDF