On Wed, Jan 30, 2019, at 9:29 PM, Mr. Jan Walter wrote: > > Actually, the issue turned out to be that the "local id" in the OSX > VPN config had to be the CN on the client certificate. Yeah, > obvious, right? Sure, quite obvious given the detailed and clear error messages from OS X logs :) To be fair, I think libreswan's debug logging for "failed cert validation" could use an improvement too -- -- instead of just "No matching subjectAltName found", it could log what it is (what name exactly) it was trying to match. Looking at the code, it does for IPs, sort of, but not for DNS names and not if the cert has no subjectAltName at all... -- K
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
