[Openswan Users] ID_DER_ASN1_DN change in 2.5.17, was Re: Openswan on Fedora 9

Paul Wouters paul at xelerance.com
Mon Jun 9 12:11:10 EDT 2008

> > > 	My problem is in X.509 cert handling.  The problem looks like it's not
> > > handling cert DNs as the Main ID.

There is a new setting, which I did not know about:


I'm strongly leaning towards undoing the code that causes this to be
neccessary, unless someone can convince me that the default when
using leftcert= should be ID_IPV4_ADDR instead of ID_DER_ASN1_DN. I
can come up with no valid reason for this.

The comment with that commit says:

commit f789468cee4e8d68645eae87d0a016edba575e45
Author: Michael Richardson <mcr at xelerance.com>
Date:   Tue Dec 18 19:53:35 2007 -0500

    permit leftid= to be used even when using leftcert. Do not override
    the ID type unless the ID type is none, or %fromcert.
So it looks like specifying leftid="something" was ignored when leftcert=
was used. However, the fix for this caused a side effect changing the
*default* type of id when leftcert= is used from ID_DER_ASN1_DN to
ID_IPV4_ADDR. This will cause major headaches for people upgrading from
openswan 2.4.x

> 	I do see a couple of syslog messages that say to report this:
> Jun  9 11:41:14 kolvir pluto[1240]: "remus" #2: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to dev at openswan.org

Thanks. We now know where this is done, and will see about avoiding these in the future.

> 	Seems to be working, though.  Continuing to test.

Let us know how things progres.


More information about the Users mailing list