[Openswan dev] ID_DER_ASN1_DN change in 2.5.17, was Re: [Openswan Users] Openswan on Fedora 9

Michael Richardson mcr at sandelman.ottawa.on.ca
Tue Jun 10 09:12:42 EDT 2008

The problem is that you can not use a public key from a certificate with
a different rightid=.  Once you say "rightcert=" the rightid was forced,
no choice at all.  Many people forced to use PSK because they couldn't
process a certificate.

Being forced to use the "DN" which might well be "localhost.localdomain"
if you were dealing with a *racoon* or SonicWall, or or thing that has a
self-signed certificate as the only way to get a public key out.

You get the old behaviour by leaving out rightid= (it then defaults to
%fromcert), or explicitely saying "rightid=%fromcert". 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

More information about the Dev mailing list