[strongSwan] Checking of certificate CN and subjectAltName against IDr

Martin Willi martin at strongswan.org
Wed Aug 3 11:29:42 CEST 2011

Hi Graham,

> Does strongSwan (on the initiator) check that the original FQDN/IDr is
> also in the certificate ?


> If the certificate has only a "subject" and no "subjectAltName", does
> strongSwan check that the IDr matches the CN specified in the
> "subject" of the certificate ?

Unlike in SSL/TLS, we check the ID against the full subject
Distinguished Name, not only against the CN RDN. In other words, the ID
gateway.example.com does not match against "C=CH, O=strongSwan,
CN=gateway.example.com". You'd have to use the full DN as the identity

> If the certificate has both a "subject" and "subjectAltName", does
> strongSwan check that the IDr matches EITHER the CN specified in the
> "subject" OR one of the multiple "subjectAltName" entries ?

It must match the full subject DN or one of the subjectAltNames.

> A customer of ours is convinced that if both a "subject" and one (or
> more) "subjectAltName" are present, the initiator must check that the
> IDr matches (one of) the "subjectAltName" entries AND must also check
> that the IDr does NOT match the "subject"'s CN.

I don't see why such a restriction would make sense, and I can't find
such a rule in RFC4945.


More information about the Users mailing list