Hello Nikos, As I tested the openconnect client can successfully tell them apart. However in fact the openconnect clent does not care about the match of the domain and the cert (no any warning poped-up), even if the ocserv delivers the other cert. And I have not yet fully tested whether it would work without the dns_name field or just with a IP cert. It looks like a quite different way to sift the correct cert in AnyConnect, comparing with Openconnect. Better way to work around it? One more thing beyond this topic is, the openconnect client on PC seems incompatible with AnyConnect, because the tap device always fail to obtain correct IPV4 gateway, at least on my Windows 7. More problems about the openconnect client include "fail to read completely from tap device" , "fail to write to tap device", "buffer is not enough" and etc.. These issues vary from different servers. Yet no problem with AnyConnect. Are they related to MTU issues? Regards, Yick 2016-06-28 15:07 GMT+08:00 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>: > On Mon, Jun 27, 2016 at 7:40 AM, Yick Xie <yick.xie at gmail.com> wrote: >> Hello Nikos, >> Today I just ungraded the gnutls to 3.4.13, but this problem still >> existed. Even I just self signed two certs based on 2 domains such as >> a.domain.com and b.domain.com. When connecting via the second cert, >> the AnyConnect client always poped up "Certificate does not match the >> server name". I have already added the dns_name and kept it same as >> CN. Is there something I missed in the configuration? > > What does openconnect client do? Does it use the correct certificate?
