Hi Sam, > I have been running into some issues getting it load certs. I think it > is just my misunderstanding of the datatype that the load_conn 'certs' > field is expecting.
The vici syntax tree is mostly the same as the syntax tree in swanctl.conf. However, there are a few exceptions, and the "certs" field is one of them. Unfortunately that is not yet documented. > In the swanctl documentation it says a comma separated list of paths to > certifications. While the swanctl.conf option takes path names, swanctl loads any credential files locally, reads the data, performs any credential decryption if required, and passes on the loaded credential as DER encoded blob over vici. Alternatively you can pass a PEM encoded blob, but you should do the decryption on the client side, as it is where you can query the user for passwords. The list of path names gets translated to a vici list of the credential blobs. Look for the is_file_list_key() function in [1] for which keywords this is done. There are some other exceptions, where a "comma separated list" of items gets translated to a vici list locally in swanctl. In contrast to the vici format, swanctl.conf/strongswan.conf does not know the concept of lists, hence we manually translate comma separated lists. Check the is_list_key() function in [1] for the keywords. Important to add: The certs/cacerts options in the conn section define end entity or CA connection constraints; you may alternatively/additionally load these certificates to the global certificate pool using the load-cert vici command (which takes the certificate as blob as well). Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/swanctl/commands/load_conns.c _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
