[strongSwan-dev] Subject certificate signature verification

Martin Willi martin at strongswan.org
Tue Nov 11 15:34:17 CET 2014


> What if the right and left certs in negotiation are same, but only left
> cert is configured to ipsec.conf in server. Does Strongswan make any
> assumptions for right cert in that case?

While I really think it usually is good practice to have a separate
certificate for each peer, that should work as well. If no rightcert is
defined, any certificate is acceptable that either is marked as trusted
(which it is by setting leftcert to it), or for which a valid trustchain
can be constructed to a trusted CA (for example, one from the cacerts
directory).

Regards
Martin



More information about the Dev mailing list