[Vpn-help] Faulty remote ID checking Take 2 ...

Matthew Grooms mgrooms at shrew.net
Sat Sep 16 18:59:25 CDT 2006

Matthew Grooms wrote:
> Matthew Grooms wrote:
> Alright, I think we should be good now ...
> ------------------------------------------------------------------------
> r636 | mgrooms | 2006-09-16 16:28:46 +0000 (Sat, 16 Sep 2006) | 11 lines
> Rewrite the site configuration manager id handling functions. When the
> user selects a new authentication or exchange type, only reset the ID
> type and associated data if it is no longer valid.
> Allow all id types for RSA authentication modes instead of only asn1dn.
> While this offers more flexibility for configuration, its not usually a
> good idea. Typically when a gateway has id checking enabled, it will
> reject any ID except for a valid asn1dn because the value wont match the
> subject name in the certificate payload later offered by the peer being
> identified.
> Allow for asn1dn IDs to be manually entered in the Site Configuration.
> The DN must be an exact match for peer authentication to complete
> successfully. The delimiter used for the manually entered DNs may be
> forward slashes or commas.
> Conitnue to allow the asn1dn subject to be pulled from the local
> certificate for use as the local ID when a mutual RSA mode is selected.
> Remove the option for pulling the asn1dn subject from the remote
> certificate as it could not be used for ID comparison. The peer would
> offer its certificate subject ID and not the CA subject id which is what
> we have a copy of. If a peer asn1dn value is not manually entered for a
> site configuration, the remote id offered by the peer with not be
> verified with a specific ID value but will be used to compare against
> any future cert payload subjects that are offered in the future. This is
> the same behavior as ipsec-tools.
> Add two new functions to ipsecd to convert from text to asn1dn and back
> to text. Add a new function for creating a peerid from the site
> configuration parameters for either the initiator or the responder. Add
> another function to compare two arbitrary id types. Use these functions
> instead of in-lining the logic in other places where it does not belong.
> ------------------------------------------------------------------------

And ...

r637 | mgrooms | 2006-09-16 17:00:34 +0000 (Sat, 16 Sep 2006) | 1 line

Be more careful about where we a a null terminating character for
logging purposes. This causes id length comparison failures for pure
text id types such as fqdn and ufqdn.



More information about the vpn-help mailing list