[Openswan Users] Openswan 2.6.14 (Fedora 9 revisited)

Michael H. Warfield mhw at WittsEnd.com
Thu Oct 2 13:12:36 EDT 2008

On Tue, 2008-09-30 at 12:45 -0400, Michael H. Warfield wrote:
> Hey all,

> 	I'm having more X.509 certificate problems with Openswan 2.6.14 now
> that I'm upgrading more of my servers.  Back in May and June there was a
> discussion over this as I was upgrading some clients to F9 and found
> that X.509 certs were failing due to the change in default id behavior.
> That was eventually worked out with an upgrade and with adding rightid=%
> fromcert and leftid=%fromcert.  Those were all client systems which were
> initiating connections (auto=start).  The servers these systems were
> connecting to remained at F8 w/ 2.4.9 until very recently.

> 	Now I've upgraded the servers and, once again, found the X.509
> certificates are broken, but in a different way.  I do see the peer id
> reported like this: "Main mode peer ID is ID_DER_ASN1_DN" followed but
> the certificate subject.  That's good, it's not the earlier problem,
> then.  But, the connections are failing with "no suitable connection for
> peer 'C=GA, ST=Georgia, L=Lilburn, O=Thaumaturgy & Speculums Technology,
> CN=complex.wittsend.com, E=postmaster at wittsend.com'"  But this
> connection worked just fine under 2.4.9.  In fact, by force installing
> 2.4.9, I can restore the servers back to operation, regardless of
> whether the clients are F8 / 2.4.9 or F9 / 2.6.14.

	This post was originally delayed.  ITMT, Paul and I debugged the
problem in private E-Mail and the issue is resolved in 2.6.18rc1.

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20081002/71b6c6d6/attachment.bin 

More information about the Users mailing list