On 2025-07-07, open...@mailbox.org <open...@mailbox.org> wrote:
> ------=_Part_274432_225638251.1751908299116
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 7bit
>
> Hello,
>
> I would like to understand why OpenBSD 7.7's iked always uses
> /etc/iked/private.local key, no matter what better matching keys and certs
> are available under /etc/iked/private and /etc/iked/certs and no matter what
> is specified as local ID in /etc/iked.conf's srcid.
>
> Expected behavior would be that the local identity is derived from srcid. The
> currently implemented behavior is also totally undocumented. It took me days
> to debug why my childsa's were failing.
>
> In the current form I don't understand why we even maintain srcid as selector
> in /etc/iked.conf when the only valid srcid is what gets hardcoded via
> /etc/iked/private/local.key and its matching cert.
>From the manual
/etc/iked/private/ The directory where local private keys used for
public key authentication are kept. The file
local.key is used to store the local private key.
using the plural there doesn't seems right to me, but the rest of that
information (in particular "The file local.key is used to store the
local private key") is correct and there's nothing else in documentation
that refers to a private key other than local.key.
> Am I missing something here? Somewhat lost after two days of debugging.
Neither local.key nor local.pub contain any information about the srcid,
they are just plain RSA or ECDSA keys, not certificates.
iked doesn't have a mechanism to handle multiple private keys.
--
Please keep replies on the mailing list.
