Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Version 0.9.10 of X.509 patch released

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Sun Apr 14 2002 - 21:31:34 CEST

Next message: Fiel Cabral: "Re: [Users] Trouble compiling Kernel 2.4.18 and FreeS/WAN 1.96"
Previous message: David DeBonis: "Re: [Users] Trouble with manual keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Version 0.9.10 of the X.509 patch for both freeswan-1.97 and the
currrent snapshot can be downloaded from

http://www.strongsec.com/freeswan/

New features in version 0.9.10:

- Multiple certificates and corresponding multiple private keys
  for the local FreeS/WAN host are now supported. Assuming that the
  local side is "left", the parameter leftcert= indicates the
  certificate to be sent to the peer.

A leftcert entry in the conn %default section provides a default
certificate so that /etc/x509cert.der is not needed anymore.

Examples:

  conn %default
       left=%defaultroute
       leftcert=myCert1.pem

  conn rw1
       right=%any
       rightid=@peer1.domain1
       # leftid is the DN of myCert1

  conn rw2
       right=%any
       rightid=@peer2.domain2
       leftcert=myCert2.pem
       # leftid is the DN of myCert2

  conn rw3
       right=%any
       rightid=@peer3.domain1
       leftid=@myid.domain1
       # leftid is myid.domain1 and must be a subjectAltName
         contained in myCert1

  The certificates are loaded relative to /etc/ipsec.d or from
  an arbitrary absolute path. The corresponding private keys
  are loaded via ipsec.secrets:

: RSA myKey1.pem "<optional passphrase>"

: RSA myKey2.pem "<optional passphrase>"

Based on the public key contained in the leftcert certificate
the corresponding private key is found automatically.

- Due to the support of multiple certificates and corresponding
  private keys, configuration has become much simpler. Therefore
  a large part of the README has been rewritten. Still, backward
  compatibility to previous versions of the patch has been
  maintained.

- Since x509.c has grown quite significantly over the last few
  versions, it has been split into asn1.c, pkcs.c and x509.c,
  accompanied by the corresponding header files asn1.h, pkcs.h
  and x509.h, respectively.

- The ASN.1 parser now tolerates UTCTIME and GENERALIZEDTIME
  objects with nonzero time zone offsets and missing seconds
  field (DER coding requires both Zulu time and a seconds field,
  so in a proper certificate these special cases should never
  occur). Thanks go to Jochen Eisinger for his patch.

- Adopted the new FreeS/WAN keyid for RSA public keys, consisting
of 9 base64 digits. Used in ipsec auto --listpubkeys.

- "make install" now creates the /etc/ipsec.d directory and its
sub directories cacerts, crls, and private.

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Fiel Cabral: "Re: [Users] Trouble compiling Kernel 2.4.18 and FreeS/WAN 1.96"
Previous message: David DeBonis: "Re: [Users] Trouble with manual keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:51 CEST