Host Identity Protocol for Linux

HIPL Certificate Exchange Problems

Asked by changyou xing on 2012-04-15

Hi, I'm trying to configure the HIPL to support certificate exchange, but I'm not very clear with the chapter 9 of HIPL user manual. As it says when using 3 host to construct a HIPL certificate exchange environment, "host B is situated on the forwarding path between A and C.". Could you explain this for me? Is that means all traffic between host A and C must through B, and B is working like a router?

Besides, is it possible to implement this function just using two host A and C, and moving the hipfw function to initiator A. Following is my configuration, but it does not work. Could you help me resolve this problem, thank you in advance.

Host A: the initiatior and the CA, it generates the ca-root-cert.pem and places on its /etc/hip directory. Host A also configures its hipfw.conf by adding a rule "INPUT -cert /etc/hip/ca-root-cert.pem ACCEPT", and this is the only rule in file hipfw.conf.

Host C: the responder. Host A generates host-cert.der for host C and copies it to host C's /etc/hip directory.

After that, host A pings host C, but if we start the hipfw in host A, no packet can be transmitted, we don't know which is the problem, and how could we implement the HIPL certificate exchange function. Thank you very much.

Question information

English Edit question
HIPL Edit question
No assignee Edit question
Solved by:
Henrik Ziegeldorf
Last query:
Last reply:
changyou xing (chyouxing) said : #1

We have debugged the program, now we find that all problems are caused by the certificate verification wrong. After receiving R2 packet, the hipfw prints that "could not verify trust point certificate, certificate error on R2".

When using openssl to verify the certificate, we use the following command
"openssl verify -CAfile ca-root-cert.pem host-cert.der", and it says that "unable to load certificate, 3077813996:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting:TRUSTED CERTIFICATE".

Both ca-root-cert.pem and host-cert.der are generated according to the doc, so could you tell me what's wrong with it? Thank you.

"openssl verify -CAfile ca-root-cert.pem host-cert.der"
this doesn't work because the second certificate is in DER-encoding.
openssl expects PEM if you don't indicate otherwise (you can actually observe that by the call to PEM_read_bio).

cat host-cer.der | openssl x509 -inform DER > host-cert.pem

openssl verify -CAfile ca-root-cert.pem host-cert.pem

This should result in:
host-cert.pem: OK

Hope that helps.

changyou xing (chyouxing) said : #3

Thank you for your help, but why hipfw says "could not verify trust point certificate, certificate error on R2", and blocks the HIP communication? All our operations are followed the standard document. Thank you in advance.

changyou xing (chyouxing) said : #4

We followed your instruction, but the system prints error "error 20 at 0 depth lookup:unable to get local issuer certificate", and we use debug mode to test the HIPL. which gives the same error. The generation of ca-root-cert.pem and host-cert.der is followed the document, we are wondering what's the problem? Thank you.

changyou xing (chyouxing) said : #5

Thanks Henrik Ziegeldorf, that solved my question.