[strongSwan] how to send/request the intermediate CAs?

Tobias Brunner tobias at strongswan.org
Mon Mar 5 10:01:22 CET 2018

Hi Harald,

> Even if Strongswan ignores the additional certs, is it possible that
> some crypto implementation *used* by Strongswan does not, but reads
> all certificates found in the cert files (in /etc/ipsec.d)?

Only the pem plugin reads PEM encoded files, and it only parses one
credential per file (unless you are again talking about PKCS#12
containers loaded via P12 keyword in ipsec.secrets).

> Does Strongswan send just the first certificates it has read to the
> peer, or does it send the whole certificate file (the chain)?

What it doesn't parse it can't send.

> Reason for asking is that I see some weird authentication failures if
> I cut off the additional certificates from the chain files and put
> them into seperate files.

What does the log say exactly?


More information about the Users mailing list