[strongSwan] New Android update option - how to best exploit?

Karl Denninger karl at denninger.net
Wed Jul 5 17:31:27 CEST 2017

On 7/5/2017 10:20, Tobias Brunner wrote:
> Hi Karl,
>> Yes.  If the frag-eating monster does not get me BOTH certificates work
>> (when sent from the server with the switch turned on.)
> OK, I see what the problem is.  If no certificate is exchanged the used
> certificate does not end up in the remote auth-cfg in a way currently
> used when trying to check the configured identity (hostname here)
> against the subjectAlternativeName extension of the certificate (only
> received certificates are currently considered there).  I changed that
> in the local-cert-san-check branch.
> As a workaround you could either change the identity the server uses
> (leftid) to genesis.denninger.net, or set the server identity in the
> client profile to the one the server actually uses, which is currently
> the full subject DN of the certificate.
> Regards,
> Tobias
That works; the only (rational) thing to do there is to set the leftid
on the server, which does work (and is rational since it isn't going to
change anyway.)

Now if I can get a Win10 config that also doesn't need frag passing to
work until the authentication is complete (at which point it works just

Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170705/28b115ab/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170705/28b115ab/attachment-0001.bin>

More information about the Users mailing list