Hello Nikos, Today I just ungraded the gnutls to 3.4.13, but this problem still existed. Even I just self signed two certs based on 2 domains such as a.domain.com and b.domain.com. When connecting via the second cert, the AnyConnect client always poped up "Certificate does not match the server name". I have already added the dns_name and kept it same as CN. Is there something I missed in the configuration? Regards, Yick 2016-05-20 13:58 GMT+08:00 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>: > On Tue, 2016-05-10 at 06:14 +0800, Yick Xie wrote: >> I tested and it did not work. Still the first one in the order would >> be delivered, the case is the same as IP cert. >> >> ONE cert was issued with dns_name="xxx.com"; >> TWO cert was issued with dns_name="vpn.yyy.net". >> The gnutls is 3.3.18, some more configuration to enable SNI? How to >> verify my environment? Perhaps due to some other outdated libs? > > I verified that was an issue affecting ocserv. That is solved with the > new gnutls releases (3.3.23 or 3.4.12). > > regards, > Nikos >
