[strongSwan] strongswan android app fails to connect when cert SAN contains DNS

SM K sacho.polo at gmail.com
Thu Aug 8 04:00:52 CEST 2013


Hi Andreas,

Thanks for the reply. I had guessed that this was not supported. Thanks for
the confirmation.

regards,
sk


On Wed, Aug 7, 2013 at 12:06 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi,
>
> as far as I know strongSwan does not support wildcards in certificates
> which is bad practice anyway. Thus xyz.mycompany.com does not match the
> wildcard subjectAltName *.mycompany.com.
>
> Regards
>
> Andreas
>
>
> On 07.08.2013 20:39, SM K wrote:
>
>> Hi,
>>
>> I am trying to establish an IPSEC tunnel from the android strongswan app
>> to a gateway using a name as in "xyz.mycompany.com
>> <http://xyz.mycompany.com>". The authentication is using
>>
>> certificates. The gateway certificate has a Subject Alt Name as
>> "DNS:*.mycompany.com, DNS:mycompany.com.
>>
>> This causes the android app to fail connection as the constraint check
>> against gateway fails.  This ofcourse works fine when the cert contains
>> the full domain name or the ip address.
>>
>> We have other setups where this kind of thing works. I wanted to check
>> if this kind of thing is supported or not.
>>
>> The logs from the strongswan app say the following.
>> cfg : constarint check failed: identity xyz.mycompany.com required
>> selected peer config android inacceptable: constaint check failed
>>
>> regards,
>> -smk
>>
>
> ==============================**==============================**==========
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130807/56b24d6e/attachment.html>


More information about the Users mailing list