On 2015-07-03, Stuart Henderson <s...@spacehopper.org> wrote: > On 2015-07-02, Denis Lapshin <den...@mindall.org> wrote: >> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical >> 0x00 length 5 >> ikev2_pld_certreq: type X509_CERT signatures length 0 >> ikev2_pld_certreq: invalid certificate request >> ikev2_resp_recv: failed to parse message > > iked doesn't accept an empte certreq (which appears to be valid), this affects > interop with Firebrick's implementation too. > >
Denis replied off-list but his MTA isn't answering so I'll reply here. <den...@mindall.org>: connect to mindall.org[5.23.109.177]:25: Connection refused On 2015/07/03 11:40, Denis Lapshin wrote: > Stuart, > > What can be done to accept an empty certreq (or fill certreq) on server's > side and/or phone's side to obtain a connection? You could try this diff, though I'm not sure whether it is correct, I don't have a suitable IKEv2 implementation to test against myself. Index: ikev2_pld.c =================================================================== RCS file: /cvs/src/sbin/iked/ikev2_pld.c,v retrieving revision 1.50 diff -u -p -r1.50 ikev2_pld.c --- ikev2_pld.c 26 Mar 2015 19:52:35 -0000 1.50 +++ ikev2_pld.c 3 Jul 2015 09:19:29 -0000 @@ -916,7 +916,9 @@ ikev2_pld_certreq(struct iked *env, stru return (0); if (cert.cert_type == IKEV2_CERT_X509_CERT) { - if (!len || (len % SHA_DIGEST_LENGTH) != 0) { + if (!len) + return (0); + if ((len % SHA_DIGEST_LENGTH) != 0) { log_debug("%s: invalid certificate request", __func__); return (-1); }