[Openswan Users] Apple macOSX 10.4.3: success!

Paul Wouters paul at xelerance.com
Mon Nov 14 22:27:18 CET 2005


On Mon, 14 Nov 2005, Jacco de Leeuw wrote:

> I have only tried it on 10.4.3 though, so I don't know if also works on
> previous versions of Tiger. I did not want to downgrade to find out.
> (Is there anyone who is willing to try it on 10.4.0 - 10.4.2?)

The GUI is missing on those systems, only Tiger had the X.509 option, So
you cannot really try it on those.

> There are two things that you need to keep in mind. The first one is that the
> ID in the Openswan server certificate *must* be a hostname (type FQDN) or
> an IP address (type IPV4_ADDR). For example, if you use OpenSSL you
> need something like: subjectAltName=DNS:soggy.strongsec.com or
> subjectAltName=IP:160.85.22.3 in your openssl.cnf when you generate the
> server certificate. This hostname or IP address must also match the
> "Server Address:" in the 'Internet Connect' application.

I'll give that a try later this week. I've been busy :P

> The other crucial thing is that you need Administrator privileges to access
> the 'System' keychain.

The GUI allows you to unlock those keychains as well. So it should still be
possible to do through the GUI. Open Keychain Access.app and on the far left
bottom corner you see a 'show keychains' option. Then you should be able to
see (and unlock) the System keychain.

> I guess the only remaining problem is the bug in Apple's racoon where they
> swapped the NAT-D hashs: http://bugs.xelerance.com/view.php?id=462
> Peter Van der Beken made a workaround but it is not in the recently
> released Openswan 2.4.2.

It is broken. Also, the aggresive mode code has been severely changed, so
the remainder of teh bug might actually be solved. Though this work is not
happening in the 2.4.x branch, but in HEAD.

> their act together but it took them almost 2 years to add certificate
> support so I wouldn't hold my breath...

I have an outstanding bug report for this with Apple Developer Centre. So
far, I've only received 4 spams from them.

Paul


More information about the Users mailing list