[strongSwan] How to send IDi and DN separately?

Martin Willi martin at strongswan.org
Mon Feb 16 09:38:22 CET 2015


Hi,

> How to send IDi and DN separately such that DN doesn't overwrite IDi?

strongSwan requires that the IDi matches one of the identities in the
certificate, and enforces that if it does not. To use a different ID,
you should include that ID as subjectAltName in your certificate.

If you really need a different ID, you might look at the two patches
from [1] (you might need to port them to a newer release). It allows you
to set the cert_id_binding option to false. This is really not
recommended, though, and you should be aware of the security
implications this has...

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/cert-id-binding-option




More information about the Users mailing list