Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Windows 2000 native IPsec and x509 certificates

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Jul 08 2002 - 13:32:20 CEST

Next message: Andreas Steffen: "Re: [Users] W2K necessitates using certificates?"
Previous message: Stefan Jenisch: "[Users] Windows 2000 native IPsec and x509 certificates"
In reply to: Stefan Jenisch: "[Users] Windows 2000 native IPsec and x509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

A CN relative distinguished name (RDN) is coded as an ASN.1 PrintableString
when it does not contain any special characters. If a '*' character is
contained in the CN RDN then any of the following ASN.1 String Type could
potentially have been applied: UTF8String, T61String, or some more.
I don't how tolerant Windows2000 is concerning string encodings.
FreeS/WAN has become quite flexible and supports comparison of strings
coded with different types.

Andreas

P.S. If you want you can send me the two CA certificates. I could
analyze their encoding.

Regards

Andreas

Stefan Jenisch wrote:
> Hi folks
>
> I want to inform you about some troubles I ran into while using freeswan
> and the windows 2000 native IPsec implementation combined with x509
> certificates.
> It looks like windows 2000 has troubles with special characters in the
> subject name of certificates.
> For some testing purpose I had two RootCAs generated with openSSL. The
> first had the CN (Common Name) "rootca.domainname.net" while the other had
> as CN "*.domainname.net". I used the certificates from those rootCAs to
> connect a freeSWAN gateway with a Windows2000 client via IPsec (in tunnel
> mode).
> While windows 2000 native IPsec worked fine with the certificates from the
> first rootCA ("CN=rootca.domainname.net") W2k refused to with certificates
> from the second rootCA (CN="*.domainname.net"), and this with the same
> IPsec configuration !!
> Whats wrong here ? I searched the web but i did not found any restrictions
> conserning special characters in the subject string of x509 certificates.
> Maybe you know more :)
>
>
> Greetings Stefan Jenisch
>
>
>
> --------------------------------------------------------------------------
> | Stefan Jenisch University of Salzburg |
> | email: sjenisch_at_cosy.sbg.ac.at Institute of Computer Science |
> | Tel.: +43/(0)662/8044-6340 Jakob Haringerstr. 2 |
> | Fax.: +43/(0)662/8044-611 A-5020 Salzburg (Austria) |
> --------------------------------------------------------------------------

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Andreas Steffen: "Re: [Users] W2K necessitates using certificates?"
Previous message: Stefan Jenisch: "[Users] Windows 2000 native IPsec and x509 certificates"
In reply to: Stefan Jenisch: "[Users] Windows 2000 native IPsec and x509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:19 CEST