[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)

Paul Wouters paul at xelerance.com
Wed Dec 14 21:56:16 CET 2005

On Wed, 14 Dec 2005, Kevan Benson wrote:

> As a forenote, i'm changing the domain and company name in all the instances
> to example for posting, but I'm doing it in all instances so things should
> line up right.
> On Wednesday 14 December 2005 12:15, Paul Wouters wrote:
> > Hmm, it seems there is a bug. CN=* and CN=*.foo should behave the same.
> > Your first example seems right. Can you show us the openssl x509 -subject
> > -noout output of the connecting certificate?
> subject= /C=US/ST=California/L=Santa
> Rosa/O=ClearTunnel/CN=test100.vpn.cleartunnel.net/emailAddress=ca-admin at cleartunnel.net

Ok. I wanted to verify you were using the same number of RDN's, which you do. So this
might be our bug.

> I actually tried that shortly after posting, and it seems that it kills pluto.

Can you use 2.4.5dr3 and give us a trace on that?

enable in ipsec.conf:


crash pluto and please give us a backtrace of the core in /tmp/

> Well, we're interested in helping in whatever way we can.  I have a few
> identical Mini-ITX boxes, and my next project is the making sure CryptoAPI is
> working with VIA Padlock.

Using CryptoAPI, there is also some support, including using /dev/hw_random.
There might be some minor changes in _startklips to load the padlock module before
the aes module so it will use the padlock AES code that are not in 2.4.5dr3 yet,
but they will be in 2.5.3.


"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)

More information about the Users mailing list