[Openswan dev] ID_DER_ASN1_DN change in 2.5.17, was Re: [Openswan Users] Openswan on Fedora 9

Paul Wouters paul at xelerance.com
Mon Jun 9 23:15:48 EDT 2008

>     Paul> I'm strongly leaning towards undoing the code that causes this
>     Paul> to be neccessary, unless someone can convince me that the
>     Paul> default when using leftcert= should be ID_IPV4_ADDR instead of
>     Paul> ID_DER_ASN1_DN. I can come up with no valid reason for this.
>   Because, if the "default" is "ID_DER_ASN1_DN", you can never use X.509
> certificates in other than "issued from a common CA" mode.
>   There is no way to *undo* that option.

Can you explain that? What I understood (assuming left is local and trusted,
and right is remote and might need verification):

- When you use leftcert= and rightcert= (eg no CA is used) the certs are
  loaded as trusted and the ID_DER_ASN1_DN's used are matched on both ends
  because ID_DER_ASN1_DN were used when *cert= were specified.

- When you use a CA setup, you trust the loaded leftcert= and the rightid=
  and rightcert= is verified against all the CA's from /etc/ipsec.d/cacerts.
  You have a choice of rightca=%any, rightca=%same or even rightca="some DN"

AFAIK, as long as you specify the DN as rightid=, you can match regardless
of what CA you wish to assign to that trust. If no CA is used, you ensure
you have the other cert preloaded.

In any other case, I don't understand why you are using certs (eg if you really
want to just grab the public key and make up some rightid= to match something
other then the DN.

I'm still unsure what it fixes. Is there a testcase showing this problem?


More information about the Dev mailing list