What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Let's Encrypt defaults to ECDSA - Revert to RSA to avoid IPsec Errors?

DigitizedMe

DigitizedMe

Occasional Visitor
Hopefully this is a quick one, and there's a config or script in JFFS I can modify to customize Let's Encrypt to pull both ECDSA and RSA certs, or just RSA? Then I can use RSA in my ipsec.postconf, insead of the ECDSA located in the in the /jffs/.le/hostname_ecc directory.

Now that Let's Encrypt is pushing ECDSA keys, I can't get Android's built-in VPN to connect to the server. The Android strongSwan app works fine! From everything I can tell, the Android IPsec implementation doesn't like the Let's Encrypt ECDSA SHA-364 signature.

The server's swanctl --log doesn't throw an error.

However, logcat on the Android device hangs at "android.net.ipsec.ike.exceptions.AuthenticationFailedException: Unrecognized ASN.1 objects for Signature algorithm and Hash" and "IkeAuthDigitalSignPayload: Unexpected or repeated Signature Hash Algorithm: 5" errors

I want to roll back to RSA just for compatibility at this point. I'm not sure any benefits of ECDSA is worth incompatibility with OS native tools.
 
If I've learned anything, it's to come with questions and offer possible solutions!

It looks like the ASN.1 error might be resolved with the newest strongSwan version 5.9.14. Falling down the rabbit hole a little bit, this most likely has to do with an RSA_PSS validation error. The fix would be to modify strongswan.conf and insert "RSA_PSS = Yes."

Excuse my noobiness, but I like to try things myself. I used opkg to install strongSwan 5.9.14-5, ipsec, and swanctl. I could verify the version updated with "swanctl --version." However, all the config files were throwing crazy errors. I removed the packages and deleted the configs from /opt to roll back to the Merlin default with my postconfigs.

Would anyone be able to lend advice on how to update just a binary with opkg, without having to bother Merlin, or could this be coming down in a soon to be released version? I believe I was able to update the binary, but now configs were all over the place!
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
L Is Merlin https CERT or let's encrypt more secure? Asuswrt-Merlin 6
M DuckDNS DDNS with Let's Encrypt certificate Asuswrt-Merlin 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 449 (members: 16, guests: 433)
Back
Top