[Openswan dev] ID_DER_ASN1_DN change in 2.5.17, was Re: [Openswan Users] Openswan on Fedora 9

Tuomo Soini tis at foobar.fi
Mon Jun 9 14:06:10 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Wouters wrote:

| The comment with that commit says:
|
| commit f789468cee4e8d68645eae87d0a016edba575e45
| Author: Michael Richardson <mcr at xelerance.com>
| Date:   Tue Dec 18 19:53:35 2007 -0500
|
|     permit leftid= to be used even when using leftcert. Do not override
|     the ID type unless the ID type is none, or %fromcert.
|
| So it looks like specifying leftid="something" was ignored when leftcert=
| was used. However, the fix for this caused a side effect changing the
| *default* type of id when leftcert= is used from ID_DER_ASN1_DN to
| ID_IPV4_ADDR. This will cause major headaches for people upgrading from
| openswan 2.4.x

Being able to override id is good thing but there is something to know
about x509 auth. 2.6.14 default of using IPV4_ADDR as leftid by default
is wrong because this is special case. It requires specially crafted
certificate with subjectAltName defining ip of host.

When leftcert is defined sane default must actually be %fromcert, it's
only working solution as default value with cert, even when it's
inconsistent with normal default value for leftid=<left ipv4 addr>.

- --
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD4DBQFITXESTlrZKzwul1ERAojbAJihJezknTodvq1Tjtejir/ajinAAKCOnDSa
zY0oH9s+/BFzc1LjcKoi7A==
=Bv21
-----END PGP SIGNATURE-----


More information about the Dev mailing list