Dear Ashish,
If you write
rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX,
CN=FTM/[email protected]"
then this ASCII string is converted into the following ASN.1
representation
C=IN, ST=KAR, O=XXXXX, OU=XXXX,
CN=FTM, [email protected]"
because both the ',' and '/' character are recognized as an
RDN separator:
openssl x509 -in cert.pem -subject -noout generates
subject=/C=IN/ST=KAR/O=XXXXX/OU=XXXX/CN=FTM/[email protected]
Unfortunately in the certificate the emailAddress got coded right into
the Common Name:
CN=FTM/[email protected]
as the ASN.1 parsing clearly shows. This single CN RDN is not equal to
CN=FTM, [email protected]"
which consists of a CN RDN followed by an emailAddress RDN.
So please generate a new certificate with separate CN and emailAddress
RDNs or even better just omit the emailAddress in the subject DN
because this is bad practice anyway.
Best regards
Andreas
Andreas Steffen wrote:
> Dear Ashish,
>
> there is an error in the rightid definition. The correct syntax is
>
> rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX, CN=FTM,
> [email protected]"
>
> OpenSSL glues the email attribute with a slash right after the CN
> but it should be separated by a comma.
>
> Regards
>
> Andreas
>
> ashish mahalka wrote:
>> Hello Andreas,
>>
>> I am getting an INVALID_ID_INFORMATION error with the certificate that I
>> am using. (the certificate is attached with this mail). From this error,
>> I understand that the subject of the certificate is not in the correct
>> format.
>> When I give the format as C=, ST=, O=, OU=, CN= it works but when the
>> format is (as mentioned in the certificate), it gives this error. The
>> pluto logs on both the peers are also attached. Below is the ipsec.conf
>> file that I am using :-
>>
>> config setup
>> strictcrlpolicy=no
>> plutodebug=all
>> plutostart=yes
>> charonstart=yes
>> charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2,
>> net 2, lib 2"
>> nat_traversal=no
>>
>> ca ipsec
>> cacert=cacert.pem
>> auto=add
>>
>> conn %default
>> ikelifetime=24h
>> keylife=10m
>> rekeymargin=2m
>> keyingtries=1
>> keyexchange=ikev1
>> mobike=no
>>
>>
>> conn host-host
>> left=10.10.10.5
>> leftsubnet=10.10.10.0/24 <http://10.10.10.0/24>
>> leftcert=cert.pem
>> leftsendcert=always
>> right=10.10.10.2
>> rightsubnet=10.10.10.0/24 <http://10.10.10.0/24>
>> rightid="C=IN, ST=KAR, O=XXXXX, OU=XXXX,
>> CN=FTM/[email protected]"
>> auto=add
>>
>> ( To maintain confidentiality, I have masked the actual values, though
>> you can see the actual values in the logs and the certificate)
>>
>> Thanks & Regards,
>> Ashish
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
