From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Sat Aug 24 2002 - 12:25:30 CEST
I wouldn't go below 1024 bits for the RSA key neither! But certainly
the DN should be as short as possible. The use of an Email field
in the DN is cleary deprecated by the PKIX profile. If you need
one e.g. for S/MIME put it better in a subjectAltName. Also there
are a couple of X.509v3 extensions that are not actually needed.
I'm attaching a template openssl.cnf file which generates compact
X.509 certificates.
Regards
Andreas
Reimer, Fred wrote:
> How would you propose I do that? Make the key shorter? I already reduced
> it to 1024 bits, and I'm not going below that. Make the DN shorter? It
> already only contains the information I believe is necessary. "Small and
> compact" certificates isn't a solution for me, but thanks for the
> suggestion!
>
> - Fred
>
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
> Sent: Friday, August 23, 2002 2:52 PM
> To: Reimer, Fred
> Cc: users_at_freeswan.org
> Subject: Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2
>
>
> IP fragments are often problematic since they get discarded by
> firewall rules. Try to generate small and compact certificates
> so that the ISAKMP message will be below 1500 bytes.
>
> Regards
>
> Andreas
>
> Reimer, Fred wrote:
>
>>O.K., it's getting weird...
>>
>>I had a hunch that the reason the firewall wasn't matching on the email
>>address was because openssl was using Email=fwr_at_ga.prestige.net instead of
>>E=fwr_at_ga.prestige.net. I don't even know if the E= form is acceptable,
>
> but
>
>>I read somewhere, possibly on the x509 patch site, that both E= and Email=
>>are for email addresses and though that the firewall might be broken and
>>only searching for the E= label. Anyhow, I changed openssl source,
>>recompiled, created a new cert/key for the Linux box and restarted ipsec.
>>Now if comes up with a "PAYLOAD-MALFORMED" message from the firewall. BUT
>>-- I'm not so sure that it is because of this change. I did a trace and
>
> see
>
>>an ISAKMP packet from the Linux box to the firewall (Identity protection,
>>main mode according to Ethereal) The IP header length field is 1500
>
> bytes.
>
>>The ISAKMP decode shows a length of 1644. Immediately after this is an IP
>>fragment packet with 62 bytes of data. So, it looks like FreeS/WAN is
>>fragmenting the packet. I thought you couldn't do that with encrypted
>>packets.
>>
>>Why is this acting differently? Because of my change of the email field
>>from Email to E, or because of the fragmented packets?
>>
>>Thanks,
>>
>>Fred
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
# OpenSSL example configuration file for IPsec certificates.
# 2002 by Andreas Steffen, Zuercher Hochschule Winterthur
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /usr/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crls # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crls/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
x509_extensions = usr_cert # The extentions to add to the cert
policy = policy_match # default policy
[ policy_match ]
countryName = match
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
####################################################################
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State
localityName = Locality Name (eg, city)
localityName_default =
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Kool AG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[ req_attributes ]
##################################################################
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints = critical, CA:FALSE
# This is typical for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Specifies a URI where a CRL can be retrieved from
#crlDistributionPoints = URI:http://www.kool.de/ca/cert.crl
# Alternate Host ID (FQDN) <uncomment and edit>
#subjectAltName = critical, DNS:gateway.kool.de
# Alternate User ID (USER_FQDN) <uncomment and edit>
#subjectAltName = critical, email:antje_at_kool.de
#################################################################
[ v3_ca ]
# Extensions for a typical CA
basicConstraints = critical, CA:true
# This is typical for a CA certificate.
keyUsage = cRLSign, keyCertSign
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 26 2002 - 03:20:24 CEST