[strongSwan] how to send/request the intermediate CAs?
Tobias Brunner
tobias at strongswan.org
Mon Mar 5 10:01:22 CET 2018
Hi Harald,
> Even if Strongswan ignores the additional certs, is it possible that
> some crypto implementation *used* by Strongswan does not, but reads
> all certificates found in the cert files (in /etc/ipsec.d)?
Only the pem plugin reads PEM encoded files, and it only parses one
credential per file (unless you are again talking about PKCS#12
containers loaded via P12 keyword in ipsec.secrets).
> Does Strongswan send just the first certificates it has read to the
> peer, or does it send the whole certificate file (the chain)?
What it doesn't parse it can't send.
> Reason for asking is that I see some weird authentication failures if
> I cut off the additional certificates from the chain files and put
> them into seperate files.
What does the log say exactly?
Regards,
Tobias
More information about the Users
mailing list