On 2015/09/30 17:17, Reyk Floeter wrote: > The attached diff always responds with a CERT or public key. If the > peer didn't send a CERTREQ, iked now picks a cert based on its own > trusted CAs (which usually includes the CA that signed your local > cert).
This diff looks sane, OK with me, though I don't have a way to test it. That may also fix a problem with IKEv2 on BlackBerry and Firebrick if my diff from https://marc.info/?l=openbsd-misc&m=143594978109212&w=2 is added on top of this. (I don't have any of this hardware myself though).
