[Openswan Users] Aggressive Mode with RSASig
Paul Wouters
paul at xelerance.com
Mon Jan 31 13:01:44 CET 2005
On Mon, 31 Jan 2005 Sascha.Grau at Stud.Tu-Ilmenau.De wrote:
> Today i noticed, that using aggressive mode together rsasig authentication, pluto's behaviour
> differs from RFC2409 Sect. 5.1. It says, that in message 2 and 3 of the exchange, both parties may
> embed certificates and/or certificate requests.
> But if my communication partner sends his certificate pluto panics and complains about the
> unexpected payload type. I changed pluto to accept CERT and CR in this state, but the corresponding
> peer still waits for my cert.
Okay. I'll let Michael look at the RFC compliantness of this situation.
As for sending your cert, you can try:
leftsendcert This option configures when Openswan will send X.509 certificates
to the remote host. Acceptable values are yes|always (signifying
that we should always send a certificate), ifasked (signifying that
we should send a certificate if the remote end asks for it), and
no|never (signifying that we will never send a X.509 certificate).
The default for this option is ifasked which may break compatibil\uffff
ity with other vendor's IPSec implementations, such as Cisco and
SafeNet. If you find that you are getting errors about no ID/Key
found, you likely need to set this to always.
> So, here is the question:
> Was this case just forgotten or were there any design decisions to do it this way ? I personally
> cannot imagine why this should not be supported.
To keep track of this issue, I created a bug report: http://bugs.xelerance.com/view.php?id=222
Paul
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list