[strongSwan] CA certificate in response to certificate request payload in x509 authentication
Sameer Agrawal
agrawalsameer at gmail.com
Fri Apr 22 19:09:31 CEST 2016
Thanks Tobias
So is there a way to send the SHA-1 hashes of the public keys of CAs. Do we
do that already? If not, is there a way to enable it?
On Fri, Apr 22, 2016 at 12:47 AM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Sameer,
>
> > The issue I am facing is the peer is request CA certificate in its
> certificate request payload in the message.
>
> A certificate request payload contains the SHA-1 hashes of the public
> keys of CAs a peer accepts (or prefers) end-entity certificates from.
> It's not a request to actually send the CA certificate but for the peer
> to select its end-entity certificate used for the authentication.
>
> > Is there a way to send the CA certificate if the peer is requesting that
> > in the certificate request payload? If yes, how can I do that?
>
> strongSwan does currently never send the root CA certificate of a
> certificate chain. Because how would the other peer trust it?
>
> Regards,
> Tobias
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160422/65847d2c/attachment.html>
More information about the Users
mailing list