Project

General

Profile

Issue #3154

signature validation failed only with sha2

Added by olaf Rottler 3 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.0
Resolution:

Description

Hallo,

ich habe einen IKEv2 Load Test gegen eien cisco asa aufgesetzt und aus lauter Verzweifelung am Ende der asa schon ein Zertifikatt von der mit strongswan mit Bordmitteln ausgestellten root zugteilt.

Mit sha1 Signature aus asa Seite alles kein problem, mit sha2 Signatur schlägt
der strongswan client fehl.

Das Problem schein aber schon länger bekannt zu sein, es gibt bei cisco sogar eine
bug Nummer CSCvb21927. Anstatt den bug zu beheben meint mein Kollege bei cisco nun,

"The problem is that it is the strongswan who cannot figure out how to use SHA-2 to verify the IKE_AUTH. This "fix" on the ASA is to use SHA-1, as the RFC suggests ("SHOULD"), for the sake of 3rd party interoperability. I'm not sure what more do you expect from us."

Seht Ihr das auch so, wenn ja wird das wann behoben, oder benötigt Ihr mehr Infos/debugs/logs/die IP/die certs der asa ?

Gruss
Olaf

root@load-isa01:~# ipsec pki --issue --in peerKey.requ --type pkcs10
--cacert /etc/ipsec.d/cacerts/caCert.der --cakey
/etc/ipsec.d/private/load.der --dn "C=CH, O=P354,
CN=iap-qs.vpn.datev.de" --san peer --outform pem > peerCertFromRequ.pem
and run everytimes in the signature error.
Jul 11 09:12:32 07[CFG] <load-test|78>   using trusted ca certificate "C=DE, L=Nuernberg, OU=P354, CN=CA-DATEV-loadtest" 
Jul 11 09:12:32 07[CFG] <load-test|78> certificate "C=DE, L=Nuernberg, OU=P354, CN=CA-DATEV-loadtest" key: 4096 bit RSA
Jul 11 09:12:32 07[CFG] <load-test|78> reached self-signed root ca with a path length of 0
Jul 11 09:12:32 79[IKE] <load-test|77> signature validation failed, looking for another key
Jul 11 09:12:32 07[IKE] <load-test|78> signature validation failed, looking for another key
Falling back to sha1 resolve this, so I'm relaay sure we have again
IKEv2 certificate authentication PRF SHA2 interoperability 3rd party
CSCvb21927
Description
Symptom:
3rd party IKEv2 client will fail to validate authentication response from the ASA when certificates are being used.

History

#1 Updated by Noel Kuntze 3 months ago

  • Category set to configuration
  • Status changed from New to Feedback

Hallo,

Was sagt denn openssl verify zu dem cert? Bitte lade auch ein Log wie in HelpRequests beschrieben hoch.

Viele Grüße

Noel

#2 Updated by Tobias Brunner 3 months ago

"The problem is that it is the strongswan who cannot figure out how to use SHA-2 to verify the IKE_AUTH. This "fix" on the ASA is to use SHA-1, as the RFC suggests ("SHOULD"), for the sake of 3rd party interoperability. I'm not sure what more do you expect from us."

The actual fix is for Cisco to implement RFC 7427. Then SHA2 can properly be used for IKEv2 pubkey authentication.

Also available in: Atom PDF