Hi Harald, > Even if Strongswan ignores the additional certs, is it possible that > some crypto implementation *used* by Strongswan does not, but reads > all certificates found in the cert files (in /etc/ipsec.d)?
Only the pem plugin reads PEM encoded files, and it only parses one credential per file (unless you are again talking about PKCS#12 containers loaded via P12 keyword in ipsec.secrets). > Does Strongswan send just the first certificates it has read to the > peer, or does it send the whole certificate file (the chain)? What it doesn't parse it can't send. > Reason for asking is that I see some weird authentication failures if > I cut off the additional certificates from the chain files and put > them into seperate files. What does the log say exactly? Regards, Tobias