[strongSwan] leftID and rightID

nima chavooshi nima0102 at gmail.com
Fri Sep 30 20:25:49 CEST 2011 

Hi
Realy thanks for your attention and complete reply.
Then,according to your explanation it's better that i set SubjectAltName
instead of DN,is that true?
In prevoius mail,you told if I do not set leftid or my cerificate does not
contain DN or SubjectAltName,then one default value will be selected,ok,but
what is this value?
another question is, Can I set "rightcert" instead of rightID??
In order to restrict and increase security in connection phase of tow
gateway it's better I set DN or SubjectAltName so that only gateway i want,
can connect to my gateway.


Thanks a lot for your help.

On Sunday, September 25, 2011, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> The subject distinguished name or subject DN of an X.509 certificate
> consists of several Relative Distinguished Names (RDNs) and therefore
> can be quite tiresome to write as in
>
> "C=DE, ST=Mecklenburg-Vorpommern, L=Rostock, O=Finanzamt,
>  OU=Zentrale Informations- und Annahmestelle, CN=steuerportal-mv.de,
>  E=poststelle at fm.mv-regierung.de"
>
> Therefore often one or several subjectAlternativeNames or Aliases
> are added as X.509v3 extensions to a certificate, like e.g.
>
>  DNS:moon.strongswan.org
>  email:carol at strongswan.org
>  IP:11.22.33.44
>
> (given in openssl.cnf notation) which saves a lot of typing work and
> helps to eliminate errors.
>
> Regards
>
> Andreas
>
> On 09/25/2011 02:58 PM, nima chavooshi wrote:
>>
>> Hi
>> Thanks a lot for your quick reply.
>> Excuse me for my dummy question.I am some confused.
>> May you give me more explanation about "subject distinguished name",
>> "subjectAltName", "subject DN" field on X509 certification?
>> According to your told, I should define lefid at least, is that true ?
>>
>> Thanks in advance for any help or guidance
>>
>> On Sun, Sep 25, 2011 at 2:16 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
>> wrote:
>>
>>     Hello,
>>
>>     left|rightid *must* be either the subject distinguished name or
>>     a subjectAltName extension contained in the certificate. If you
>>     don't define leftid or if leftid is not defined in the certificate
>>     then automatically the subject DN is assumed as a default.
>>
>>     As a responder you can define rightid=%any, in that case any
>>     peer with a trusted and non-revoked certificate will be accepted.
>>
>>     Regards
>>
>>     Andreas
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110930/2ad2c3d6/attachment.html>

More information about the Users mailing list