|
|
|
Re: OpenSwan: msg#00026encryption.opensc.user
Hi, > > cards here would be a proper counting of the ids of the > > certs where cert df014331 comes up as id46, and the > > private-keys are not counted in a row but 45, 47, 48, 50 > > (its 45-48 now). > > This is what 0.10.0 was doing. It violates the spec > and causes other problems. Even if the application would make the clean distincution bet- ween the id of the privkey and the id of the cert i would not be able to address the cert i want it to use with the current snapshots. How should this work? The application can not try all certs in a row with that id. > Actually nobody wants to use those non-personalized > certificates that TeleSec puts on their cards. > > Here's what I might do: I could reorder the certificates in the > Netkey emulation such that the user-certificates will be > the first to be loaded (if they exist). And the TeleSeec > certificate will be loaded last. Should work in my case, would be great. > Do you know, how OpenSwan selects the certificate? Looks like opensc-api, the pluto-daemon is linked against libopensc, libssl, libopenct and libpcsclite here. > How do you specifiy the certificate within the > OpenSwan configurations files. Do you use > 'id45' or just '45' or '0x45'. 0:1, :1, syntax is %smartcard<reader nr>:<PKCS#15 key id> . However i could not specify different ids for cert or privkey. > Have you ever tried '0:45', '1:45' or '2:45'? 0: is same as to not specify the reader at all, 1: and 2: gives an error. > Why do you have to read a certificate from your > smartcard at all? That's very slow. Maybe > OpenSwan can use the correct certificate from > a file (much faster) and can use only the > private key from your smartcard. Great idea, would also be nice to speed stuff up. Seems not to work though. > Can you specify different sources for your certificate > and for your key? Different smartcard-ids or smartcard-id and cert-file do not work here. > You see - I know nothing about OpenSwan but > maybe my comments are nevertheless helpfull. Yes, good ideas to try out. I probably should bring up the certid/privkeyid-issue on @freeswan-users . May be you can default on sending the telesec-cert as the second one? So i could use future OpenSC-versions out of the box. greetings, Christian. |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Dell Smartcard Drivers: 00026, Loránd Jakab |
|---|---|
| Next by Date: | Re: Re: OpenSwan: 00026, Andreas Jellinghaus |
| Previous by Thread: | OpenSwani: 00026, Peter Koch |
| Next by Thread: | Re: Re: OpenSwan: 00026, Andreas Jellinghaus |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
|
|
| News | FAQ | advertise |