Project

General

Profile

Issue #3117

embedding PUBKEY certificate in payload failed

Added by Noel Kuntze 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.0
Resolution:
No change required

Description

When using raw ECDSA keys with pubkey auth and a near default (no crypto plugins disabled) installation,
when the IKE_SA gets initiated, strongSwan complains about "embedding PUBKEY certificate in payload failed", but the negotiation completes nonetheless.

History

#1 Updated by Tobias Brunner 4 months ago

  • Status changed from New to Feedback

That's normal if you don't prevent certificates from getting sent (e.g. via explicit configuration or if the peer doesn't send a certificate request). The public key is wrapped in a certificate_t object by the pubkey plugin and internally treated like a self-signed certificate. However, since it's not an X.509 certificate it can't be encoded in a certificate payload (we currently don't support RFC 7670), which causes that log message.

#2 Updated by Noel Kuntze 4 months ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

I see. Thank you for that information. :)

Also available in: Atom PDF