[Vpn-help] New 2.1.0 alpha 8 release ...
Matthew Grooms
mgrooms at shrew.net
Thu Feb 21 19:36:38 CST 2008
David Santinoli wrote:
> On Wed, Feb 20, 2008 at 09:23:09PM -0600, Matthew Grooms wrote:
>> RSA keys and certificate data is now encapsulated in exported site
>> configuration files.
>
> Great! Thanks a lot, Matthew!
>
> Can you confirm that the entries in the configuration file are the
> base64-encoded version of the textual (PEM) representation of the
> keys/certs? I am aiming towards the fully-automated generation of such
> configuration files, and the goal seems really near now.
>
Yes. The rudimentary configuration file format encodes any binary value
as base64. Currently, the only two uses are auth-mutual-psk and the
auth-server-cert-data attribute. The latter attribute is only found in
an exported configuration file.
> BTW, does the client always need to dump key and certs to local files?
> What would happen if I removed the 'auth-client-cert' and similar
> entries from the configuration file?
>
Here is how it works. A configuration on windows is stored in the
registry while configurations on unix are stored in files under the
~/.ike/sites directory. When you request that a file be exported, the
access manager finds a key/cert file based on the path contained in the
attribute value, truncates the path down to only the file name and adds
a new binary attribute that contains the file contents. The process is
reversed for an import. For example ...
s:auth-server-cert:<path to file>\ca.crt
... gets exported as ...
s:auth-server-cert:ca.crt
b:auth-server-cert-data:<base64 data of ca.crt>
... I forgot to mention in the latest release email that a configuration
directory hierarchy similar to the one used on unix platforms is now
created on windows platforms as well. It exists as ...
<My Docs>\Shrew Soft VPN
<My Docs>\Shrew Soft VPN\certs
<My Docs>\Shrew Soft VPN\sites
... So, back to the configuration example ...
s:auth-server-cert:ca.crt
b:auth-server-cert-data:<base64 data of ca.crt>
... gets imported as ...
( on windows )
s:auth-server-cert:<My Docs>\Shrew Soft VPN\certs\ca.crt
( on unix )
s:auth-server-cert:~/.ike/certs/ca.crt
... The file referenced by the auth-server-cert attribute is created
using the base64 encoded data contained in the auth-server-cert-data
attribute. After the file is created, the data attribute is deleted.
To answer your last question, if you removed the attributes from an
exported file then the imported site configuration would be non functional.
Hope this helps,
-Matthew
More information about the vpn-help
mailing list