[strongSwan] New Android update option - how to best exploit?

Tobias Brunner tobias at strongswan.org
Wed Jul 5 17:20:17 CEST 2017

Hi Karl,

> Yes.  If the frag-eating monster does not get me BOTH certificates work
> (when sent from the server with the switch turned on.)

OK, I see what the problem is.  If no certificate is exchanged the used
certificate does not end up in the remote auth-cfg in a way currently
used when trying to check the configured identity (hostname here)
against the subjectAlternativeName extension of the certificate (only
received certificates are currently considered there).  I changed that
in the local-cert-san-check branch.
As a workaround you could either change the identity the server uses
(leftid) to genesis.denninger.net, or set the server identity in the
client profile to the one the server actually uses, which is currently
the full subject DN of the certificate.


More information about the Users mailing list