[Swan] INVALID_ID_INFORMATION
Paul Wouters
paul at nohats.ca
Thu Jan 31 18:20:43 UTC 2019
On Thu, 31 Jan 2019, LAURIA Giuseppe wrote:
> We are using libreswan between two different RedHat Servers and want to do host-to-host transport tunnel encryption to port 8080.
> Left: RHEL 7.6 ( SELinux set to Permissive )
> libreswan version: libreswan-3.25-2.el7.x86_64
> Right: RHEL 6.10
>
> Libreswan version : libreswan-3.15-7.5.el6_9.x86_64
> I have to say that the left certificate has a CN which contains an left-server-alias for Loadbalancer, which is not yet in place. But the certificate has also a SAN list
> which contains the correct hostname.
>
> But if libreswan ignores SAN and checks for the exact entry in the first DN than this will fail.
> Can you say whether libreswan checks also for the SAN entries ?
libreswan does check SAN entries, but 3.15 is very old and does not have
all the flexibility of recent libreswan's with respect to certificates.
> Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
I would recommend using the full DN for the leftid/rightid to avoid the
subjectAltNames altogether.
Paul
More information about the Swan
mailing list