[strongSwan] CERTREQ/CERT question

Martin Willi martin at strongswan.org
Tue Apr 6 13:17:37 CEST 2010


Hi,

> TS 33.310 V8.3.0 (2009-06) 3GPP document suggests that the system
> sends all its CA certificates in this case and let remote to decide.

Hm, I don't think that this makes a lot of sense. A peer has to select a
single private key to sign the AUTH payload. This restricts it to use
the associated certificate (chain), unless the peer has signed the same
key in different certificates from different CAs (which is rather
uncommon).

> Which is strongSwan behaviour when it receives in CERTREQ anchors for
> which it can’t build up a trusted path?

If charon can't build a trust chain for any of the anchors in a received
CERTREQ, it includes the subject certificate only as a fallback.

Regards
Martin






More information about the Users mailing list