[Openswan Users] Aggressive Mode with RSASig

Paul Wouters paul at xelerance.com
Mon Jan 31 13:01:44 CET 2005

On Mon, 31 Jan 2005 Sascha.Grau at Stud.Tu-Ilmenau.De wrote:

> Today i noticed, that using aggressive mode together rsasig authentication, pluto's behaviour
> differs from RFC2409 Sect. 5.1. It says, that in message 2 and 3 of the exchange, both parties may
> embed certificates and/or certificate requests.
> But if my communication partner sends his certificate pluto panics and complains about the
> unexpected payload type. I changed pluto to accept CERT and CR in this state, but the corresponding
> peer still waits for my cert.

Okay. I'll let Michael look at the RFC compliantness of this situation.
As for sending your cert, you can try:

        leftsendcert  This option configures when Openswan will send  X.509  certificates
                      to  the  remote  host. Acceptable values are yes|always (signifying
                      that we should always send a certificate), ifasked (signifying that
                      we  should  send  a certificate if the remote end asks for it), and
                      no|never (signifying that we will never send a X.509  certificate).
                      The  default for this option is ifasked which may break compatibil\uffff
                      ity with other vendor's IPSec implementations, such  as  Cisco  and
                      SafeNet.  If  you  find that you are getting errors about no ID/Key
                      found, you likely need to set this to always.

> So, here is the question:
> Was this case just forgotten or were there any design decisions to do it this way ? I personally
> cannot imagine why this should not be supported.

To keep track of this issue, I created a bug report: http://bugs.xelerance.com/view.php?id=222


"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list