android: Always send the client certificate

In scenarios where the server accepts client certificates from dozens or
even hundreds of CAs it might be necessary to omit certificate request
payloads from the IKE_SA_INIT response to avoid fragmentation.

As it is rarely the case in road-warrior scenarios that the server
already has the client certificate installed it should not be a problem
to always send it.

diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
index 986854cdd26e780ddbeb5e21bd328ae043606627..d41aa2f7cbb8da37424225e26bee1a7dc5eccebf 100644 (file)
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
@@ -739,7 +739,7 @@ static job_requeue_t initiate(private_android_service_t *this)
        ike_sa_t *ike_sa;
        auth_cfg_t *auth;
        peer_cfg_create_t peer = {
-               .cert_policy = CERT_SEND_IF_ASKED,
+               .cert_policy = CERT_ALWAYS_SEND,
                .unique = UNIQUE_REPLACE,
                .rekey_time = 36000, /* 10h */
                .jitter_time = 600, /* 10min */