From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Tue Aug 06 2002 - 13:42:37 CEST
If you want to introduce wildcards into Distinguished
Names I suggest the following things to you:
- Introduce a wildcard character, e.g. '*'. Then you
can define
rightid="C=NL, O=FooBar, CN=*"
or even
rightid="C=NL, O=*, CN=*"
Each Relative Distinguished Name must be present
but can contain a wildcard character. I don't know
if it makes sense to extend the matching to regular
expressions. This is up to you.
- You must then hack the same_dn() function in x509.c
to make it support wildcard comparisons.
- In connections.h you can add a boolean variable
has_host_wildcard to the end struct which can be
set by extract_end() in connections.c when
a DN possesses wildcards.
- In add_connection() in connections.c you can extend
the expression
c->kind = (isanyaddr(&c->that.host_addr) ||
c->that.has_client_wildcard ||
c->that.has_host_wildcard)) ?
CK_TEMPLATE : CK_PERMANENT;
to define a template. For each host matching the
wildcard DN an instance will be created. This solves
your problem that only one connection will be
accepted. When the instance is created you must
make sure that the wildcard DN is replaced by the
full DN received from the peer.
If you adhere to these recommendations it will be
possible to integrate your patch into the X.509
distribution.
Regards
Andreas
Peter Busser wrote:
> Hi!
>
>
>>One method of restricting access without modifying the
>>source code is to use IPsec in combination with iptables
>>or ipchains firewall rules.
>
>
> I hacked a bit at the source and it looks like this patch
> does what I want. It has one flaw, it seems to allow only
> one connection. If I connect using one box, it works. And
> if I connect from a second box, the first connection stops
> working but the second works. It seems that it replaces the
> first connection with the second one.
>
> It does however filter on parts of a DN. If you put:
> rightid="C=NL"
> in the ipse.conf, it will only allow connections from
> valid certificates with C=NL. And you can do:
>
> rightid="C=NL, O=FooBar"
>
> too. It will only allow connections from valid certificates
> from organisation FooBar in the Netherlands.
>
> Do you have any idea how to solve the connection replacement
> problem? And if that problem is solved, can this be included
> in the official x509 patch?
>
> Groetjes,
> Peter Busser
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Tue Aug 06 2002 - 17:19:31 CEST