[Openswan dev] ID_DER_ASN1_DN change in 2.5.17, was Re: [Openswan Users] Openswan on Fedora 9

Michael Richardson mcr at sandelman.ottawa.on.ca
Wed Jun 11 17:38:39 EDT 2008

>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> Being forced to use the "DN" which might well be
    >> "localhost.localdomain" if you were dealing with a *racoon* or
    >> SonicWall, or or thing that has a self-signed certificate as the
    >> only way to get a public key out.

    Paul> Obviously the fix there is to use more meaningful self
    Paul> generated certificates.

  Only if you can control what is in it.

    >> You get the old behaviour by leaving out rightid= (it then
    >> defaults to %fromcert), or explicitely saying
    >> "rightid=%fromcert".

    Paul> That breaks when using left=%defaultroute. And perhaps in more
    Paul> scenarios as well. The reason this issue came up at all is

  I don't understand how left=%defaultroute relates to leftid=

    Paul> Helping people with "localhost.localdomain" certs is not worth
    Paul> breaking everyone's working openswan 2.4.x X.509 setup.

  I see. 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

More information about the Dev mailing list