Ok, thanks.
One more question.
What if the right and left certs in negotiation are same, but
only left cert is configured to ipsec.conf in server.
Does Strongswan make any assumptions for right cert in that case?
- Riku
On 11/11/14 14:19, Martin Willi wrote:
Riku,
Kindly asking to keep the discussion on the list, thanks.
Is it so that, if (e.g., server side) ipsec.d/certs folder contains the
same cert than client side is using as a subject cert, the certificate
is automatically trusted?
Just having a cert in ipsec.d/certs does not load it implicitly at all.
Specifying such a cert in a left/rightcert on any connection loads that
certificate as trusted, which means no trust chain validation is
required for any user having a private key for it.
Alternatively you may add a trust anchor constraint by setting a
rightca. This ensures that the peer certificate is issued under a
specific CA, and for example not the one you are using to authenticate
yourself. Explicitly setting rightcert requires that the peer
authenticates with a private key for exactly that certificate specified.
Regards
Martin
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
