[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)

Kevan Benson kbenson at a-1networks.com
Wed Dec 14 15:38:43 CET 2005

On Wednesday 14 December 2005 14:55, Andreas Steffen wrote:
> > we require peer to have ID 'C=US, ST=California, L=Santa Rosa, O=Example
> > Co, CN=*.vpn.example.net, E=ca-admin at example.net', but peer declares
> > 'C=US, ST=California, L=Santa Rosa, O=Example Co,
> > CN=test100.vpn.example.net, E=ca-admin at example.net'
> By design the wildcard character '*' cannot be used to substitute only
> a part of an RDN.

Is there some place or document that discusses the reasoning behind this?  I 
can think of at least one situation where the multiple levels this provides 
would be useful.  I assume it's disallowed for security reasons?

> > If I specify the CN as a wildcard entirely (CN=*) I get this error:
> >
> > 031 "test100": cannot initiate connection with ID wildcards
> > (kind=CK_TEMPLATE)
> You cannot initiate a wildcarded connection! As Paul correctly points
> out, it can be used in passive responder mode with right=%any only.

Thanks!  the %any is what I was missing actually, and what was causing the 
crash when initiated by the remote side.

Kevan Benson
A-1 Networks

More information about the Users mailing list