Hosting Provided By

Re: [Users] safenet and superfreeswan

From: Andreas Steffen <andreas.steffen(at)strongsec.net>
Date: Tue Apr 06 2004 - 11:53:46 EDT

You are using SuperFreeS/WAN 1.99.8 which is based on version 0.9.32 of the X.509 patch. Unfortunately this version cannot handle multiple certificate requests yet. This feature was introduced with version 0.9.33.

Excerpt from the X.509 CHANGES file:

Version 0.9.33

Until now only one certificate request (CR) payload could be handled. Now multiple CRs are collected and are taken into account when selecting an appropriate connection.

Your SafeNet client is currently configured to send CRs for all CAs that it knows of:

| requested CA: 'C=DE, ST=NRW, L=Aachen, O=Allflex, E=ca@allflex.de'

| requested CA: 'DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority'

                  Corporation, CN=Microsoft Root Authority'

Do you need help?

| requested CA: 'C=US, O=MSFT, CN=Microsoft Authenticode(tm) Root Authority'

| requested CA: 'O=Microsoft Trust Network, OU=Microsoft Corporation,

                  OU=Microsoft Time Stamping Service Root, OU=Copyright
                  (c) 1997 Microsoft Corp.'


| requested CA: 'O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Time


                  Stamping Service Root, OU=NO LIABILITY ACCEPTED,
                  (c)97 VeriSign, Inc.'

| requested CA: 'C=hk, O=C&W HKT SecureNet CA SGC Root'

| requested CA: 'C=FR, O=Certplus, CN=Class 3TS Primary CA'

| requested CA: 'C=MX, CN=Autoridad Certificadora del Colegio Nacional de

                  Correduria Publica Mexicana, A.C., O=Colegio Nacional de
                  Correduria Publica Mexicana, A.C.'


| requested CA: 'C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co.,


                  OU=United Parcel Service, CN=DST (UPS) RootCA,
                  E=ca@digsigtrust.com'

| requested CA: 'C=FR, O=Certiposte, CN=Certiposte Classe A Personne'

| requested CA: 'L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert

                  Class 1 Policy Validation Authority,
                  CN=
http://www.valicert.com/, E=
info(at)valicert.com'

Workarounds:

Use the SafeNet Certificate Manager to restrict the trusted CAs to your private CA (Just click the correct box). Then only one CR is sent and FreeS/WAN will be able to select the correct connection.

Do you need more help?

2) Apply the following patch to SuperFreeS/WAN 1.99.8 and recompile

and install the userland tools only (make programs; make install):

http://www.strongsec.com/freeswan/diffs/fs-1.9x/x509patch-0.9.32-to-0.9.33.diff

3) Upgrade to the latest strongSwan (http://www.strongswan.org) or

openswan (http://www.openswan.org) release.

Regards

Can we help you?

Andreas

Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64

CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65

==========================================[strong internet security]===

_______________________________________________

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Tue Apr 6 12:04:35 2004

This message: [ Message body ]
Next message: Bhagat Panwar: "[Users] encrypted imformational exchange message is invalod because of it is incomplete ISAKMP SA"
Previous message: Thomas Braun: "Re: [Users] safenet and superfreeswan"
In reply to: Thomas Braun: "Re: [Users] safenet and superfreeswan"
Next in thread: Thomas Braun: "Re: [Users] safenet and superfreeswan"
Reply: Thomas Braun: "Re: [Users] safenet and superfreeswan"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:30 EDT