[Swan-dev] require-id-on-certificate vs allow-cert-without-san-id

Andrew Cagney andrew.cagney at gmail.com
Thu May 6 12:00:00 UTC 2021

I suspect they're just fighting over the same policy bit?

It comes up as I'm trying to get my brain around things like the else
clause in:

                        if (!LIN(POLICY_ALLOW_NO_SAN, c->policy)) {
                                diag_t d = diag("X509: connection failed
due to unmatched IKE ID in certificate SAN");
                                llog_diag(RC_LOG, ike->sa.st_logger, &d,
"%s", "");
                                must_switch = true;
                        } else {
                                log_state(RC_LOG, &ike->sa, "X509:
connection allows unmatched IKE ID and certificate SAN");
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210506/ecd7be47/attachment.html>

More information about the Swan-dev mailing list