Paul Wouters paul at xelerance.com
Fri Feb 15 16:18:49 EST 2008

On Fri, 15 Feb 2008, roman wrote:

> I wasted 2 days for diagnosing an almost simple issue in FreeSWan 1.99

Sorry :)

> I had to create a new root CA because the old one got expired and there was
> no source for obtaining the old password..., I created a new root CA and new

> trouble.  My new CA had the same CN as one of the old ones. I know this is
> mentioned in Pauls book, but never crossed that before.

> @Paul: can you incorporate one or two lines of code giving a hint that 2
> identical CNs are loaded?

Can you give me the output of loading those two certs, starting the conn
and getting the failure, with plutodebug="all"

> At start the program reads all CAs and they remain
> in RAM, regardless of starting and stopping tunnels which use the respective
> CAs. Only ipsec restart seems to erase references to already deleted CAs in
> ipsec.d/cacert

right. But the expired CA at least should be in use anymore.

CA certs do not "belong" to a conn. They're all in one "ca cert" pool.


More information about the Users mailing list