[strongSwan] ipsec.conf:: rightca= ?

Mark Enstone mark at m-87.com
Tue May 6 01:29:55 CEST 2014


Tobias,

Perfect, great explanation. The "rightca=@#<hex SHAH hash>" worked great
for me.

Thank you,
~Mark


On Mon, May 5, 2014 at 6:53 AM, Tobias Brunner <tobias at strongswan.org>wrote:

> Hi Mark,
>
> > 17:03:45 06[CFG] CA certificate *"C=US, O=Entrust, Inc.,
> > OU=www.entrust.net/rpa is incorporated by
> > reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority
> > - L1C" not found, discarding CA constraint*
>
> That's due to a limitation of the DN string parser:  It can't handle
> comma's in RDNs (which are already separated with commas).
>
> According to RFC 4514 [1] commas could be escaped with backslashes in
> string representations (e.g. "O=Entrust\, Inc.") but strongSwan
> currently doesn't support such escape sequences either.
>
> And because the parser supports an alternative encoding that uses
> slashes to separate RDNs (e.g. "/C=US/O=Entrust, Inc./OU=..."), but
> currently handles commas and slashes interchangeably, the slash in the
> URL in the first OU RDN triggers the same issue.
>
> We could easily change the parser so it uses either commas or slashes
> (if the string starts with a slash) as separator in one DN.  But this
> would only help if you could get rid of either the slash or the commas.
>  Otherwise, a bigger change in the parser would be required (e.g. adding
> support for escape sequences).
>
> Fortunately there is a simple workaround for this.  You can use key IDs
> instead of DNs to identify the CA.  Something like rightca=@#<hex> where
> <hex> is the hex encoded SHA1 hash of either subjectPublicKey or
> subjectPublicKeyInfo of your CA certificate.  You can determine those
> with pki --print.  The hash over the subjectPublicKey is also encoded in
> certificates issued by the pki utility, as subjectKeyIdentifier
> extension, and also as authorityKeyIdentifier extension in end-entity
> certificates issued by a CA.
>
> Regards,
> Tobias
>
> [1] http://tools.ietf.org/html/rfc4514#section-3
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140505/e82d0a0c/attachment.html>


More information about the Users mailing list