From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 8 Feb 2018 11:15:36 +0000 (+0100)
Subject: android: Always send the client certificate
X-Git-Tag: 5.6.2rc1~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bafa2d346736a0b479a6d7acb623d86c2fb4cda;p=thirdparty%2Fstrongswan.git

android: Always send the client certificate

In scenarios where the server accepts client certificates from dozens or
even hundreds of CAs it might be necessary to omit certificate request
payloads from the IKE_SA_INIT response to avoid fragmentation.

As it is rarely the case in road-warrior scenarios that the server
already has the client certificate installed it should not be a problem
to always send it.
---

diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
index 986854cdd2..d41aa2f7cb 100644
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
@@ -739,7 +739,7 @@ static job_requeue_t initiate(private_android_service_t *this)
 	ike_sa_t *ike_sa;
 	auth_cfg_t *auth;
 	peer_cfg_create_t peer = {
-		.cert_policy = CERT_SEND_IF_ASKED,
+		.cert_policy = CERT_ALWAYS_SEND,
 		.unique = UNIQUE_REPLACE,
 		.rekey_time = 36000, /* 10h */
 		.jitter_time = 600, /* 10min */