On Thu, 7 Feb 2019, D. Hugh Redelmeier wrote:
I don't deeply understand what %fromcert is supposed to do.git grep -ni "fromcert" doc fails to find an explanation. Only examples. My particular concern is that in our code, - a %fromcert in a connection will be mutate to a ID_DER_ASN1_DN by match_certs_id. The .name field will come from the certificate's derName. - this is irreversible - the connection is not required to be an instance. This seems quite wrong. Surely there should be a way of reversing this.
Why? For the certificate on the local end, eg if we are left and we have a leftert= than doing this once is enough and it never needs to happen again. For a right=%any, we do not have rightcert= usually, as we instantiate and receive the cert over IKE. For that instance, the same rule applies - we never want to change it again.
Surely there should be a way of binding the connection to different certificates at different times, and hence the ID should follow. Perhaps even several at one time.
Can you give me an example where that would ever be needed? I cannot think of any.
Can we have some documentation? Or did I miss some documentation? That would let me figure out if the surprising behaviour matches some intention.
%fromcert is documentd in "man ipsec.conf" Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
