[Swan] SubjectAltName Certificate check
Craig Marker
cmarker at inspeednetworks.com
Wed May 16 16:10:34 UTC 2018
Hello
I just upgraded from Libreswan 3.20 to 3.23, and the connection I was using was
broken. I’m seeing these messages in the logs:
“tunnel3" #396: certificate verified OK: CN=abcd,OU=CM,O=“Foo Inc.",L=Seattle,ST=WA,C=US
“tunnel3" #396: certificate does not contain subjectAltName=client
“tunnel3" #396: Peer public key SubjectAltName does not match peer ID for this connection
I’ve been using leftid=@client in my configuration files to match incoming connections. This cannot
be changed, as I need some way for a server-like machine to determine which incoming IPsec offering
goes with which configuration.
The mechanism I’m using to generate certificates doesn’t provide an option for SubjectAltName.
Is there anything I can do, while I figure out a longer term plan, to rectify this situation? Otherwise
I’ll have to downgrade my Libreswan distribution or look into a different IPsec offering.
--
cm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180516/39255dc6/attachment.html>
More information about the Swan
mailing list