[Openswan Users] Two problems with certificates on openswan 1.0.8

[Ken Bantoft]

Andrea Dell'Amico wrote:

>Hello, I have a node which subject certificate had "D=C=SERVER" in it;
>openswan complains with the message "bad right --id: unknown OID in
>ID_DER_ASN1_DN (ignored)" and the node is activated.
>The strange (wrong) fact is that it acts as a wild card: every node with
>a certificate made by the right CA can establish a connection with that
>vpn server.
>I will request a correct certificate, but I'm puzzled: is it the
>expected behaviour?
>
>
>Another question: For a customer I have to work with certificates with
>an "R" field in the subject. openswan rejects them becaus R isn't a
>supported field. I may add it to the list of the good ones, but what's
>the rationale about supported RDNs? Why a list of supported RDNs is
>needed?
>  
>
Sure, you can modify the defines to add this 'R' field into the list.  
The rational was initially that the X.509 patches supported only the 
requirements for IPsec X.509 Certs, and not much else.  Note that alot 
has changed since then, and in more recent versions of the X.509 patch 
Andreas has added several features which might help you out here.

http://www.strongsec.com/freeswan/install.txt has info about the 
currently support X.509 RDNs.