[strongSwan] New Android update option - how to best exploit?

Tobias Brunner tobias at strongswan.org
Wed Jul 5 16:25:04 CEST 2017

Hi Karl,

> BTW is the OCSP check failure due to lack of "curl" support in the
> Android client?

No, it's because the revocation plugin can't build an OCSP request (only
the x509 plugin can do so but on Android we use the openssl plugin to
parse certificates so that plugin isnt' enabled).  I guess we could just
disable OCSP verification in the revocation plugin until that's supported.

> In any event the failure there appears to be wrong as the "CN" has to be
> set differently to the RSA's CN or the cert won't certify by the CA (due
> to being a duplicate); the SAN DNS field IS correct (genesis.denninger.net)
>             X509v3 Subject Alternative Name:
>                 email:postmaster at denninger.net, DNS:genesis.denninger.net
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication

Have you set a server identity in the VPN profile?  Could you send me
the cert so I can have a look at it?

> I will try it with the RSA certificate:
> Uh, nope.  Same problem with the same log entry from the client.

Did that work before?  Does it work if you select the CA certificate
instead of the server certificate in the profile?


More information about the Users mailing list