[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)
Kevan Benson
kbenson at a-1networks.com
Wed Dec 14 15:38:43 CET 2005
On Wednesday 14 December 2005 14:55, Andreas Steffen wrote:
> > we require peer to have ID 'C=US, ST=California, L=Santa Rosa, O=Example
> > Co, CN=*.vpn.example.net, E=ca-admin at example.net', but peer declares
> > 'C=US, ST=California, L=Santa Rosa, O=Example Co,
> > CN=test100.vpn.example.net, E=ca-admin at example.net'
>
> By design the wildcard character '*' cannot be used to substitute only
> a part of an RDN.
Is there some place or document that discusses the reasoning behind this? I
can think of at least one situation where the multiple levels this provides
would be useful. I assume it's disallowed for security reasons?
> > If I specify the CN as a wildcard entirely (CN=*) I get this error:
> >
> > 031 "test100": cannot initiate connection with ID wildcards
> > (kind=CK_TEMPLATE)
>
> You cannot initiate a wildcarded connection! As Paul correctly points
> out, it can be used in passive responder mode with right=%any only.
Thanks! the %any is what I was missing actually, and what was causing the
crash when initiated by the remote side.
--
Kevan Benson
A-1 Networks
More information about the Users
mailing list