[strongSwan] id not confirmed by certificate
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Aug 18 19:12:38 CEST 2017
Hi,
You can only use either the whole DN or one of the SAN extensions as IDs. strongSwan implements a behaviour that
is compatible with what is recommended in RFC6125[1] and is standardized in RFC4945[2].
So you need to change your certs.
Kind regards
Noel
[1] https://tools.ietf.org/html/rfc6125#section-2.3
[2] https://tools.ietf.org/html/rfc4945#section-3.1
On 17.08.2017 16:07, Mike.Ettrich at bertelsmann.de wrote:
>
> Hi!
>
>
>
> I try to start the server (strongSwan-5.5.3) with following config (only a snippet):
>
>
>
> conn TI-VPN2
>
> keyexchange=ikev2
>
> leftcert=vpn1-ref.gto-refCert.pem
>
> left=vpn1-ref.gto-ref.zgd.service-ti.de
>
>
>
> But when starting the log contains:
>
> Aug 17 15:34:37 05[CFG] loaded certificate "C=DE, O=xxx Systems GmbH TEST-ONLY - NOT-VALID, CN=vpn1-ref.gto-ref.zgd.service-ti.de" from 'vpn1-ref.gto-refCert.pem'
>
> Aug 17 15:34:37 05[CFG] id 'vpn1-ref.gto-ref.zgd.service-ti.de' not confirmed by certificate, defaulting to 'C=DE, O=xxx Systems GmbH TEST-ONLY - NOT-VALID, CN=vpn1-ref.gto-ref.zgd.service-ti.de'
>
>
>
> an I understood that this disables the usage of the id= vpn1-ref.gto-ref.zgd.service-ti.de.
>
>
>
>
>
> Question:
>
> What is the reason for this behave?
>
> Do we need to change our certificate?
>
>
>
> Thanks for any suggestion.
>
>
>
> Regards,
>
> Mike.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170818/1732dabb/attachment.sig>
More information about the Users
mailing list