[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)
Kevan Benson
kbenson at a-1networks.com
Wed Dec 14 12:27:27 CET 2005
As a forenote, i'm changing the domain and company name in all the instances
to example for posting, but I'm doing it in all instances so things should
line up right.
On Wednesday 14 December 2005 12:15, Paul Wouters wrote:
> Hmm, it seems there is a bug. CN=* and CN=*.foo should behave the same.
> Your first example seems right. Can you show us the openssl x509 -subject
> -noout output of the connecting certificate?
subject= /C=US/ST=California/L=Santa
Rosa/O=ClearTunnel/CN=test100.vpn.cleartunnel.net/emailAddress=ca-admin at cleartunnel.net
> The second error, is what I would expect in both cases. When you allow
> multiple incoming connections, these can instantiated. That means the
> connection definition is a template, and for each incoming connection a
> copy of this connection is made and "filled in". Usually this also means
> using right=%any. These type of connections can only respond, they can not
> initiate. So try connecting to this connection from the other end, which
> may not be specifying any wildcards.
I actually tried that shortly after posting, and it seems that it kills pluto.
> We need to create more X.509 testcases for all these scenarios.
Well, we're interested in helping in whatever way we can. I have a few
identical Mini-ITX boxes, and my next project is the making sure CryptoAPI is
working with VIA Padlock.
--
Kevan Benson
A-1 Networks
More information about the Users
mailing list