Hi Karl, > Yes. If the frag-eating monster does not get me BOTH certificates work > (when sent from the server with the switch turned on.)
OK, I see what the problem is. If no certificate is exchanged the used certificate does not end up in the remote auth-cfg in a way currently used when trying to check the configured identity (hostname here) against the subjectAlternativeName extension of the certificate (only received certificates are currently considered there). I changed that in the local-cert-san-check branch. As a workaround you could either change the identity the server uses (leftid) to genesis.denninger.net, or set the server identity in the client profile to the one the server actually uses, which is currently the full subject DN of the certificate. Regards, Tobias