tech stuff.

racoon only matches against the first IP subjectAltName?

with 3 comments

I haven’t examined the source yet to make sure that I’m right, but imperical evidence leads me to believe that racoon is only recognizing the first IP field in an x509v3 subjectAltName extension.  That is, for the following certificate:

X509v3 Subject Alternative Name:
DNS:arthur.example.org, IP Address:192.168.35.24, IP Address:10.14.82.152

It appears that only the 192.168.x.x address will be accepted as a valid ID by racoon.  Requests with an ID of 10.14.82.152 will be discarded with the error message: ID mismatched with subjectAltName.  So far I’ve only tested this with anonymous remote nodes.

Written by Lee Verberne

2009-03-09 at 07:05

Posted in Internet, Unix-type stuff

Tagged with

«
»

3 Responses

Subscribe to comments with RSS.

  1. Were you able to verify this? Did you find a work around? I’m in the same position.

    Ben

    2009-05-13 at 15:57

    Reply

    • I think I remember that to work around this I changed my_identifier to asn1dn in order to forgo the IP check — which is a shame since correlating the IP is useful and I wish the check worked.

      verb

      2009-05-13 at 16:37

      Reply

  2. I ended up using 1 SSL Cert per IP and running multiple instances of racoon, each with their own ‘listen { }’ directive to bind to the IP of the Cert.

    Not ideal, but working.

    Ben

    2009-05-14 at 14:50

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: