Multiple Certs and Keys
Yick Xie
yick.xie at gmail.com
Tue Jun 28 15:10:57 PDT 2016
Hello Nikos,
As I tested the openconnect client can successfully tell them apart.
However in fact the openconnect clent does not care about the match of
the domain and the cert (no any warning poped-up), even if the ocserv
delivers the other cert. And I have not yet fully tested whether it
would work without the dns_name field or just with a IP cert. It looks
like a quite different way to sift the correct cert in AnyConnect,
comparing with Openconnect. Better way to work around it?
One more thing beyond this topic is, the openconnect client on PC
seems incompatible with AnyConnect, because the tap device always fail
to obtain correct IPV4 gateway, at least on my Windows 7. More
problems about the openconnect client include "fail to read completely
from tap device" , "fail to write to tap device", "buffer is not
enough" and etc.. These issues vary from different servers. Yet no
problem with AnyConnect. Are they related to MTU issues?
Regards,
Yick
2016-06-28 15:07 GMT+08:00 Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com>:
> On Mon, Jun 27, 2016 at 7:40 AM, Yick Xie <yick.xie at gmail.com> wrote:
>> Hello Nikos,
>> Today I just ungraded the gnutls to 3.4.13, but this problem still
>> existed. Even I just self signed two certs based on 2 domains such as
>> a.domain.com and b.domain.com. When connecting via the second cert,
>> the AnyConnect client always poped up "Certificate does not match the
>> server name". I have already added the dns_name and kept it same as
>> CN. Is there something I missed in the configuration?
>
> What does openconnect client do? Does it use the correct certificate?
More information about the openconnect-devel
mailing list