[Openswan Users] openswan-2 cvs x509 troubles

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Apr 26 03:35:51 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ken" == Ken Bantoft <ken at xelerance.com> writes:
    Ken> Update to latest CVS... mcr commited a slew of changes for
    Ken> X.509 policies tonight.  They will probably fix this...

    >> Further debugging of my "no RSA public key known" problem.

  Latest CVS can say:

	 leftcertsend={never,ifasked,always}

  ifasked means to send the certificate if the other end asks. There was
a bug with leftsendcert=always that is now fixed.
  
  At present the problem still seems to me that the certificate request
is not being sent when I want it to. I don't want to send it by
default. 
  It was turned off by default because it seemed to cause problems for
non-X.509 uses. 
  Rule #1 - new code is always suspect when it causes old things to break. 
  Rule #2 - code without test cases gets disabled.

  In CVS head, if you set leftca="..." on the gateway, then a CR for
that CA will be sent, and the certificates will get transfered. (test
case x509-pluto-02) 
  Sending leftca=%any ought to alwo work as well, but does not at this
time.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQIytxoqHRg3pndX9AQE3RAQAocreSR2167sCLsYZO+qONEumT7+afZ/E
tuDd9caX7zE97uSZ8WhD3W8kqRxRLB+dVTL0FWSCBiajZRcMk7j/MOmXBitGZP94
NbPDFww0kSO8nW4fWdpyBwRbrnYhirHXGlEcTvL+xWwEDjjxdNrJXn1jA2nyplau
RhmPnZ3v9oo=
=QZoL
-----END PGP SIGNATURE-----


More information about the Users mailing list