[strongSwan] Query regarding Ca-Cert list

Noel Kuntze noel at familie-kuntze.de
Tue Jun 10 22:12:58 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mukesh,

You can use the leftcert directive for such cases. The description of the directive states this:
"[...]leftcert is required only if selecting the certificate with leftid is not sufficient, for example if multiple
certificates use he same subject.[...]"

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 10.06.2014 08:59, schrieb Mukesh Yadav:
> Hi,
>
> This is question more specifc to Openssl, but being generic scenario posting this on stongswan if some one can provide info..
>
> Query for Ca-Cert list.
> If at gateway we have configured two CA-certs A1 and A2 both having same subject and content except time-stamp of generation.
>
> If peer sends Cert matching to A2, gateway tries to validate it with A1(subject being same and configured first in list) and validation fails.
>
> 1. is there a way to avoid addition of cert in store if subject and all contents are same except time-stamp generation.
> 2. Or if not 1st, is there way to validate incoming cert with both cert configured in store.
> 3. Or this scenario is know limitation and have to take care while configuring...
>
> Thanks
> Mukesh
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTl2bKAAoJEDg5KY9j7GZY1/cP/jD7y9Ndli+weU6m53DX07f8
ZfWO1mWK3VlBeg3THtuIjLXUhj28CfdJISiJxsxVxsJfk6+tPf8eNIHwMKzBXm5z
korPo8T/mRyBKpqymJOlkT94NNwVnbWpmPDddQULEiFoEokWGOiKacOYFc1/KMW6
hkqURial4VwHzx8EKpdf3yIjwblWM7s0pAlDpNvZ5DmNU3IFwcnZakOe2f+EGPBX
xIe2e5CtT+VJa6i54n62Yje0CaL5DtDLz6uid54qMli7on5oTFo+5SGv62ZVmJ18
AGa9PBvl0x4B88YtiDpHJb1pc7qHCx0XtnKxk8iwh0Mc/7n9WthZn6UGHDye3TdK
sh85ZH+dKN9iLjEolGMvbVWYKYB2K94t4euU/LlnwHPj6fwd72o0eIgMaEKUdhx9
ag6ZkzE0n+LpRPRc5bsCobv+6col7ELTqbu/Hyhvo5kWrRZxagUL2Kxv3N9jzFJC
3mv5TFSBaEeZ+B+Dk7eksGxIQ0X33R9VoIuifo8/qQD0AAZz9mNp0TsYS/oH+vcB
2567kbJ75ghPm7ho0oAbpIDBBkcUmS7l28x+FUmGRgw1z2NBhckuIp7QoAs8+Hcd
I7zQHEGjvbg2RXdqJMkTdJaEc/FKNH1e+qu0C9ZCI3/tePfcjLYfJLu/Nf5wriyl
OAHV85VgfoiLeFVtAkaX
=7dvN
-----END PGP SIGNATURE-----



More information about the Users mailing list