[Openswan Users] left/rightsendcert=always questions

Nate Carlson natecars at natecarlson.com
Fri May 14 14:54:26 CEST 2004


On Fri, 14 May 2004, Michael Richardson wrote:
>     Nate> How does the ifasked option work? If it's a case where anyone
>     Nate> can request the certificate (no authentication beforehand
>     Nate> required), I don't see how that'd be any more secure than just
>     Nate> sending it out to start with.
> 
>   ifasked means send a certificate if there is a certificate request.
>
>   Specifically, send the certificate that has been signed with the CA that
> the certificate request says.

So what happens if you connect two machines that are both set to
sendcert=ifasked? Will one of them still ask for the certificate from the
other one, since you're doing certificate-based authentication? (Sorry,
not a IPSec protocol expert.)

>   Always sending the certificate causes UDP fragmentation issues.

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Users mailing list