Project

General

Profile

Bug #3139

Updated by Tobias Brunner 3 months ago

Hi
I am trying to run the ike load-tests using the load-test plugin. I am using strongswan version 5.7.2 and certificate had expired in load_tester_creds.c and I pulled the latest key and cert from master on github. With this I am seeing the below error on the initiator which is "rejecting certificate without digitalSignature or nonRepudiation keyUsage flags". Am I missing anything here? Please let me know if you need any other information.

<pre>
2019-08-08T17:48:48.0+0530
019-08-08T17:48:48.0+0530 07[NET] <load-test|8> received packet: from 20.0.0.1[500] to 20.0.0.2[500] (481 bytes)
2019-08-08T17:48:48.0+0530 07[ENC] <load-test|8> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
2019-08-08T17:48:48.0+0530 07[CFG] <load-test|8> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
2019-08-08T17:48:48.0+0530 07[IKE] <load-test|8> received cert request for "CN=srv, OU=load-test, O=strongSwan"
2019-08-08T17:48:48.0+0530 07[IKE] <load-test|8> sending cert request for "CN=srv, OU=load-test, O=strongSwan"
2019-08-08T17:48:48.0+0530 07[IKE] <load-test|8> authentication of 'CN=c8-r1, OU=load-test, O=strongSwan' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
2019-08-08T17:48:48.0+0530 07[IKE] <load-test|8> sending end entity cert "CN=c8-r1, OU=load-test, O=strongSwan"
2019-08-08T17:48:48.0+0530 07[IKE] <load-test|8> establishing CHILD_SA load-test{10}
2019-08-08T17:48:48.0+0530 07[ENC] <load-test|8> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2019-08-08T17:48:48.0+0530 07[NET] <load-test|8> sending packet: from 20.0.0.2[4500] to 20.0.0.1[4500] (1036 bytes)
2019-08-08T17:48:48.0+0530 15[NET] <load-test|8> received packet: from 20.0.0.1[4500] to 20.0.0.2[4500] (396 bytes)
2019-08-08T17:48:48.0+0530 15[ENC] <load-test|8> parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
2019-08-08T17:48:48.0+0530 15[CFG] <load-test|8> using trusted certificate "CN=srv, OU=load-test, O=strongSwan"
**2019-08-08T17:48:48.0+0530 15[IKE] <load-test|8> rejecting certificate without digitalSignature or nonRepudiation keyUsage flags
2019-08-08T17:48:48.0+0530 15[IKE] <load-test|8> signature validation failed, looking for another key
**2019-08-08T17:48:48.0+0530 15[ENC] <load-test|8> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
2019-08-08T17:48:48.0+0530 15[NET] <load-test|8> sending packet: from 20.0.0.2[4500] to 20.0.0.1[4500] (76 bytes)
</pre>

Back