Ok - I have found the error. SSH Sentinel 1.3-beta codes
Relative Distinguished Names containing special characters,
e.g.the '@' character in
as an ASN.1 UTF8String instead of an ASN.1 T61String as in earlier versions
of Sentinel. Since T61String is the default for OpenSSL I have chosen
this for coding Distinguished Names in ipsec.conf. Since the
binary coding of an UTF8String and a T61String are different, the
comparison fails and INVALID_ID_INFORMATION results.
As a workaround, try to enter a CN without special characters in SSH
Sentinel or import an OpenSSL certificate (with T61String encoding and
not based on a Sentinel certificate request) as a *.p12 file into Sentinel
(this has become possible with SSH Sentinel version 1.3).
I try to make the comparison of Relative Distinguished Names independent
of the string encoding and hope that it will go into version 0.9.10
of the X.509 patch.
Regards
Andreas
Rasmus Wiman wrote:
>
> Andreas Steffen <andreas.steffen_at_zhwin.ch> wrote:
>
> > as I could see the problem is that Sentinel is sending its self-signed
> > certificate instead of the cert signed by the CA. In addition to that
> > the self-signed certificate possesses a subjectAltName so that
> > Sentinel is sending an ID_USER_FQDN ID instead of the DN you configured.
> > Therefore INVALID_ID_INFORMATION results.
> >
> > Try to set the default certificate to the CA signed one, so that
> > Sentinel doesn not send the self-signed cert anymore.
>
> I just did. Sadly, it din't help. I still get INVALID ID_information.
> Also, I must say that I don't really understand how subjectAltNames work
> even after re-reading the x.509 installation guide at www.strongsec.com a
> bunch of times. On which machine(s) do I need to mess with them? When? How
> do I do it in SSH Sentinel?
>
> I put up a new barf, this time with the other connection turned off so
> it's a bit smaller. I put it at <http://rasmus.wiman.org/barf2.txt>.
>
> Thanks for at least getting me a little bit further!
>
> /Rasmus Wiman
>
> http://rasmus.wiman.org
> http://dagbok.wiman.org
>
> I program my home computer
> Beam myself into the future
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:48 CEST