[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)

Andreas Steffen andreas.steffen at strongsec.net
Thu Dec 15 06:46:09 CET 2005

Kevan Benson wrote:
> On Wednesday 14 December 2005 14:55, Andreas Steffen wrote:
>>>we require peer to have ID 'C=US, ST=California, L=Santa Rosa, O=Example
>>>Co, CN=*.vpn.example.net, E=ca-admin at example.net', but peer declares
>>>'C=US, ST=California, L=Santa Rosa, O=Example Co,
>>>CN=test100.vpn.example.net, E=ca-admin at example.net'
>>By design the wildcard character '*' cannot be used to substitute only
>>a part of an RDN.
> Is there some place or document that discusses the reasoning behind this?  I 
> can think of at least one situation where the multiple levels this provides 
> would be useful.  I assume it's disallowed for security reasons?
The reasoning behind it is quite straight forward:

The available spare time I had when I wrote this code was limited ;-)

Comparing Distinguished Names is a very time consuming business.
By implementing full support of regular expressions within a single
Relative Distinguished Name (RDN) this process would get even
more complicated. As an alternative to wildcarded substrings within
RDNs you always have the possibility to add an arbitrary number of
RDNs to your DN in order to achieve the desired granularity. E.g. you
could add multiple OU= fields or OU1=, OU2=, etc.

> Thanks!  the %any is what I was missing actually, and what was causing the 
> crash when initiated by the remote side.

Pluto shouldn't dump core.



Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list