Comments (3)
When a certificate file is selected for the server, the nm backend loads only a single cert from that file, even if it is a PEM bundle of both CA certs.
Yeah, strongSwan does not support certificate bundles. Changing that is currently not planned.
When no cert file is selected, the nm backend loads all certs from the system CA folder.
You can also configure your own directory (that e.g. only contains the CA certificates you need) via charon-nm.ca_dir
option.
Putting the same CA certs bundle PEM file in that folder makes TLS-based EAP methods working again.
Not unless that bundle is processed by a tool and split up into separate files. There is no difference in how files are loaded from the configured directory vs. when configured in the GUI.
from strongswan.
https://bugs.debian.org/853266 doesn't provide sufficient details, but it might be related.
Maybe its oversimplified, but I find it difficult to understand that a directory providing 2 certificates is supported, while a file providing the same 2 certificates is not. Just my $0.02.
from strongswan.
https://bugs.debian.org/853266 doesn't provide sufficient details, but it might be related.
Don't think so. Not only was that created long before basic support for TLS-based EAP methods was added to charon-nm with bc3eda9 in 2020, the main issue is that libcharon-extra-plugins
does not ship the eap-peap plugin (it does ship the eap-ttls plugin, though).
Maybe its oversimplified, but I find it difficult to understand that a directory providing 2 certificates is supported, while a file providing the same 2 certificates is not.
strongSwan's certificate parsers can only handle a single certificate per file. So loading a directory with multiple files, each containing a trusted certificate, is straight-forward, loading multiple certificates from a single file is not.
from strongswan.
Related Issues (20)
- iptables unknown option "--sport" HOT 13
- ip6tables: Interface inserted as 'unknown' when host is not on the local network HOT 3
- Abort message: 'FORTIFY: FD_SET: file descriptor 2467 >= FD_SETSIZE 1024' l HOT 3
- charon-cmd didn't include IDr in IKE_AUTH request 1, resulting bad ID response HOT 9
- charon crashes due to SIGBUS error//strongswan version 5.9.13 HOT 6
- Using Bandwagonhost vps to set up vpn, using iOS built-in ikve2 can not connect issues HOT 1
- Compilation Failure: Compiling forecast module (strongswan-5.9.11)
- Get cert of remote host in tunnel?
- strongswan cross-compilation error (wolfssl related) HOT 4
- StrongSwan Errors on FORTINET VPN connections HOT 1
- Problem handling start action when reloading configs HOT 4
- Inquiry Regarding the Release of StrongSwan 6.0 with PQC Support HOT 2
- StrongSwan fails on TinyCoreLinux 15.0 x86 (32-bit) arch HOT 2
- Add a VICI command that lists all VICI commands HOT 2
- Libipsec does not work with bypass-lan, breaks all local routes HOT 1
- x509 Name Constraints checking applied as AND rather than OR? HOT 1
- UI improvement, Always-on VPN setting and disconnect HOT 4
- Incoming connections are established to IP addresses not specified in <conn>.local_addrs HOT 5
- /usr/sbin/ipsec: unknown command 'pool' HOT 1
- padlock_aes_crypter.c HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.