[Swan] Wildcards in rightid DistinguishedName

Paul Wouters paul at nohats.ca
Mon Feb 15 02:04:36 UTC 2021

On Sat, 13 Feb 2021, Tuomo Soini wrote:

>> As far as I can see only rightid="... CN=test.example.com" or
>> rightid="... CN=*" may be used to match this DNS name.
> Currently there is no support for such.

If this is specific to CN=, then I'd say do not count on libreswan
supporting this. Certificate verification based on anything besides a SAN
is dying at the Certificate Agencies. This might still work on private
CAs used with VPNs, but certificate verification libraries don't often
have support for TLS vs IKE (rfc 4945) so it will become more error prone
in the future.

However, group matching on O= or OU= or L= should work. If not, that is
a bug we would fix.


More information about the Swan mailing list