[strongSwan] leftID and rightID
nima0102 at gmail.com
Fri Sep 30 20:25:49 CEST 2011
Realy thanks for your attention and complete reply.
Then,according to your explanation it's better that i set SubjectAltName
instead of DN,is that true?
In prevoius mail,you told if I do not set leftid or my cerificate does not
contain DN or SubjectAltName,then one default value will be selected,ok,but
what is this value?
another question is, Can I set "rightcert" instead of rightID??
In order to restrict and increase security in connection phase of tow
gateway it's better I set DN or SubjectAltName so that only gateway i want,
can connect to my gateway.
Thanks a lot for your help.
On Sunday, September 25, 2011, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> The subject distinguished name or subject DN of an X.509 certificate
> consists of several Relative Distinguished Names (RDNs) and therefore
> can be quite tiresome to write as in
> "C=DE, ST=Mecklenburg-Vorpommern, L=Rostock, O=Finanzamt,
> OU=Zentrale Informations- und Annahmestelle, CN=steuerportal-mv.de,
> E=poststelle at fm.mv-regierung.de"
> Therefore often one or several subjectAlternativeNames or Aliases
> are added as X.509v3 extensions to a certificate, like e.g.
> email:carol at strongswan.org
> (given in openssl.cnf notation) which saves a lot of typing work and
> helps to eliminate errors.
> On 09/25/2011 02:58 PM, nima chavooshi wrote:
>> Thanks a lot for your quick reply.
>> Excuse me for my dummy question.I am some confused.
>> May you give me more explanation about "subject distinguished name",
>> "subjectAltName", "subject DN" field on X509 certification?
>> According to your told, I should define lefid at least, is that true ?
>> Thanks in advance for any help or guidance
>> On Sun, Sep 25, 2011 at 2:16 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
>> left|rightid *must* be either the subject distinguished name or
>> a subjectAltName extension contained in the certificate. If you
>> don't define leftid or if leftid is not defined in the certificate
>> then automatically the subject DN is assumed as a default.
>> As a responder you can define rightid=%any, in that case any
>> peer with a trusted and non-revoked certificate will be accepted.
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users