<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>There is now a new "Send certificate requests" toggle available
in the Android client which defaults on and gives the old
behavior. The switch's note is that it will only work if the
server always sends whatever cert(s) it needs, and that's true --
if it's off then it doesn't work (at all) without changes on the
server side.</p>
<p>What would be the <i>least </i>traffic-generating option for
its use? In other words <i>exactly what either has to be on the
client -- or sent from the server -- for that switch to work?</i></p>
<p>A second (derivative) question is whether the StrongSwan android
client authors have considered the possibility of fixing the DNS
issues that arise if you tether behind an Android phone with
StrongSwan up. Interestingly enough it appears you <i>can </i>ping
and such, but DNS resolution fails.</p>
<p>If that could be resolved then the (relatively common) Windows 10
issue with IKE not being able to handle fragmentation (in the
Windows client) could be alleviated since the user could tether
off their phone and have StrongSwan run on the phone. If you can
then get the negotiation down to where it doesn't have to fragment
we now have killed two birds with one stone!</p>
<p>This looks like a very interesting path forward that might
require only a modest amount of work on the StrongSwan Android
client end.... but I'm not sure whether you can actually pull off
the DNS redirection from a tethered device at that level.</p>
<p>Thoughts?<br>
</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>