As the PKIX WG clearly states, UTF8Strings are the right way to go.
So in a first step I will make it possible for Pluto to compare
T61Strings and UTF8Strings and to declare them equal when the
character codes are the same. At a later date I will change over
to UTF8Strings, although it will break compatibility with older
versions of the X.509 patch. In the source code this can be done by
a simple parameter change in the table defining the relative
distinguished names.
Regards
Andreas
Jussi Torhonen wrote:
>
> Andreas Steffen wrote:
>
> > Ok - I have found the error. SSH Sentinel 1.3-beta codes
> > Relative Distinguished Names containing special characters,
> > e.g.the '@' character in
> >
> > CN=Rasmus_at_wiman.org
> >
> > as an ASN.1 UTF8String instead of an ASN.1 T61String as in earlier versions
> > of Sentinel. Since T61String is the default for OpenSSL I have chosen
> > this for coding Distinguished Names in ipsec.conf. Since the
> > binary coding of an UTF8String and a T61String are different, the
> > comparison fails and INVALID_ID_INFORMATION results.
>
> I got the following information from our PKI developers:
>
> Looks like OpenSSL cannot handle certificates with DN coded as
> UTF8String. IETF and PKIX WG recommed using UTF8String encoding.
> T61String is deprecated an none should use them.
>
> Best regards,
> Jussi Torhonen
> SSH Communications Security Corp, http://www.ssh.com
> SSH Sentinel VPN Client, http://www.ipsec.com
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:50 CEST