[Openswan Users] ID_DER_ASN1_DN change in 2.5.17, was Re: Openswan on Fedora 9
Paul Wouters
paul at xelerance.com
Mon Jun 9 12:11:10 EDT 2008
> > > My problem is in X.509 cert handling. The problem looks like it's not
> > > handling cert DNs as the Main ID.
There is a new setting, which I did not know about:
leftid=%fromcert
I'm strongly leaning towards undoing the code that causes this to be
neccessary, unless someone can convince me that the default when
using leftcert= should be ID_IPV4_ADDR instead of ID_DER_ASN1_DN. I
can come up with no valid reason for this.
The comment with that commit says:
commit f789468cee4e8d68645eae87d0a016edba575e45
Author: Michael Richardson <mcr at xelerance.com>
Date: Tue Dec 18 19:53:35 2007 -0500
permit leftid= to be used even when using leftcert. Do not override
the ID type unless the ID type is none, or %fromcert.
So it looks like specifying leftid="something" was ignored when leftcert=
was used. However, the fix for this caused a side effect changing the
*default* type of id when leftcert= is used from ID_DER_ASN1_DN to
ID_IPV4_ADDR. This will cause major headaches for people upgrading from
openswan 2.4.x
> I do see a couple of syslog messages that say to report this:
>
> Jun 9 11:41:14 kolvir pluto[1240]: "remus" #2: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to dev at openswan.org
Thanks. We now know where this is done, and will see about avoiding these in the future.
> Seems to be working, though. Continuing to test.
Let us know how things progres.
Paul
More information about the Users
mailing list