[strongSwan] another question about rightca

Harald Dunkel harri at afaics.de
Sat Sep 9 15:18:46 CEST 2017

Hi folks,

I had a typo in rightca, like


instead of

	rightca="C=DE, O=example gmbh, OU=it, CN=my-CA"

There was a message in charon.log:

	CA certificate "CN=my-CA" not found, discarding CA constraint

The IPsec gateway was much more open than intended. Shouldn't 
charon ignore a connection with a bad rightca instead, just to
be on the safe side?


More information about the Users mailing list