Hi Graham, > Does strongSwan (on the initiator) check that the original FQDN/IDr is > also in the certificate ?
Yes. > If the certificate has only a "subject" and no "subjectAltName", does > strongSwan check that the IDr matches the CN specified in the > "subject" of the certificate ? Unlike in SSL/TLS, we check the ID against the full subject Distinguished Name, not only against the CN RDN. In other words, the ID gateway.example.com does not match against "C=CH, O=strongSwan, CN=gateway.example.com". You'd have to use the full DN as the identity then. > If the certificate has both a "subject" and "subjectAltName", does > strongSwan check that the IDr matches EITHER the CN specified in the > "subject" OR one of the multiple "subjectAltName" entries ? It must match the full subject DN or one of the subjectAltNames. > A customer of ours is convinced that if both a "subject" and one (or > more) "subjectAltName" are present, the initiator must check that the > IDr matches (one of) the "subjectAltName" entries AND must also check > that the IDr does NOT match the "subject"'s CN. I don't see why such a restriction would make sense, and I can't find such a rule in RFC4945. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users