[Openswan Users] No suitable connection for peer message when using CA
Paul Wouters
paul at xelerance.com
Wed Dec 10 19:21:14 EST 2008
On Wed, 10 Dec 2008, Nicolas Bellido Y Ortega wrote:
>> add dumpdir=/tmp to 'config setup' and please get us a gdb trace of the
>> core dump in /tmp/
>
> Will do that tomorrow... After quick scan of the Makefiles, I think I just have
> to add the -g flag to USERCOMPILE in Makefile.inc, right?
You shouldn't need to change it from the default. Just after the crash do:
cd openswan-2.x.y/OBJ*/programs/pluto/
gdb pluto
core /tmp/core.XXXX
bt full
> Do you prefer that I send the trace to the devel list?
Either the devel list or onto a new bug report on bugs.openswan.org please.
> In fact, what I want to achieve is for Left and Right to verify each other's
> certificate based on their respective root CA.
>
> Actually, I'd want Left to accept connections from any peer whose certificate
> is signed by any CA Left knows of. And I want the peer to authenticate Left
> based on the CA cert that signed Left's cert.
It should work.
> But if I understand what you said correctly, Left only needs to have:
> . its certificate and private key;
> . the root CA cert that signed Right's cert.
>
> Similarly, Right would only have to have, besides its own cert and priv key,
> the root CA cert that signed Left's cert.
That's right.
> Basically, Left and Right do *not* need to have their own CA root cert, do
> they? But would it hurt if they actually have it?
It should not matter if they have more CA's, except you might need to use
rightca=%any, otherwise the implicit rightca=%same might be used.
Paul
More information about the Users
mailing list