[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)

Paul Wouters paul at xelerance.com
Wed Dec 14 21:15:37 CET 2005


On Wed, 14 Dec 2005, Kevan Benson wrote:

> In trying to get certs configured, I'm running into a problem with getting
> wildcards working.  If I specify the distinguished name entirely on both
> ends, it connects fine.  If I specify a wildcard for a portion of the CN (all
> I'm trying to wildcard at this point), it fails with this error:
>
> we require peer to have ID 'C=US, ST=California, L=Santa Rosa, O=Example Co,
> CN=*.vpn.example.net, E=ca-admin at example.net', but peer declares 'C=US,
> ST=California, L=Santa Rosa, O=Example Co, CN=test100.vpn.example.net,
> E=ca-admin at example.net'


> If I specify the CN as a wildcard entirely (CN=*) I get this error:
>
> 031 "test100": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)

Hmm, it seems there is a bug. CN=* and CN=*.foo should behave the same. Your
first example seems right. Can you show us the openssl x509 -subject -noout
output of the connecting certificate?

The second error, is what I would expect in both cases. When you allow multiple
incoming connections, these can instantiated. That means the connection definition
is a template, and for each incoming connection a copy of this connection is
made and "filled in". Usually this also means using right=%any. These type of
connections can only respond, they can not initiate. So try connecting to this
connection from the other end, which may not be specifying any wildcards.

We need to create more X.509 testcases for all these scenarios.

Paul


More information about the Users mailing list