[Openswan dev] ID_DER_ASN1_DN change in 2.5.17, was Re: [Openswan Users] Openswan on Fedora 9

Paul Wouters paul at xelerance.com
Tue Jun 10 10:37:08 EDT 2008


Thanks for the explanation,

> The problem is that you can not use a public key from a certificate with
> a different rightid=.  Once you say "rightcert=" the rightid was forced,
> no choice at all. 

Okay. That is a problem, and good that it is fixed, though:

> Many people forced to use PSK because they couldn't process a certificate.

I am not sure about the "many people" here.

> Being forced to use the "DN" which might well be "localhost.localdomain"
> if you were dealing with a *racoon* or SonicWall, or or thing that has a
> self-signed certificate as the only way to get a public key out.

Obviously the fix there is to use more meaningful self generated certificates.

> You get the old behaviour by leaving out rightid= (it then defaults to
> %fromcert), or explicitely saying "rightid=%fromcert". 

That breaks when using left=%defaultroute. And perhaps in more
scenarios as well. The reason this issue came up at all is that people's
configuration from openswan 2.4.x broke because of this change, and logs
clearly show that it is sending the IP instead of the DN when leftcert=
is used without leftid.

Helping people with "localhost.localdomain" certs is not worth breaking
everyone's working openswan 2.4.x X.509 setup.

For 2.6.15, I will look at trying to fix the code to actually default to
leftid=%fromcert, or back out these changes to support overriding the DN.

Paul


More information about the Dev mailing list