On Fri, 1 May 2015, Herbert Xu wrote:
When refine_host_connection tests against a %fromcert RW connection
followed by other right=%any connections with fixed IDs (e.g.,
@hostname), it will lose the fromcert setting. So when it does
eventually return with the %fromcert RW connection fromcert will
be set to false and therefore the actual certificate ID won't be
copied into spd.that.id, resulting in a bogus "no RSA public key
known for '%fromcert'".
This error won't happen if the order of matching is reversed and
the %fromcert connection gets tested last. So that's why the
conencton sometimes works but often fails with an authentication
error.
This patch fixes it by keeping the fromcert setting of the best
match.
Applied. thanks!
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
