On Fri, 22 Feb 2019, D. Hugh Redelmeier wrote:
commit 30f132ab693ccc852dc03c24879f1eae07dd1dd1
Author: Paul Wouters <[email protected]>
Date: Fri Feb 22 14:30:24 2019 -0500
X509: more clearly log warning/errors based on NSS profile used
I'm working on this code too :-(
Sorry :(
There is evidence that you (Paul) don't understand the code 100%
either.
Unfortunately, I spend a lot of time on this and know exactly what is
going on :)
- log_bad_cert(cur_log->head);
+ log_bad_cert(usage == certificateUsageSSLClient ? "Warning" :
"ERROR",
+ cur_log->head);
At this point, it is an ERROR. There is no way that a different
"usage" will be tried. As the comments above this say, the control
flow is tricky.
It is an error in validation for sure. But we are now trying TWO
different kinds of certificate validation in NSS. One using its new
"IPsec profile" and one using the old style "TLS profile hack".
If the new IPsec profile method fails, we fall back to the old TLS hack
method. The change in this commit prevents the IPsec profile from
prematurely logging a fatal error in case the TLS profile succeeds.
From NSS points of view, the IPsec profile failure is a failure.
From libreswan's point of view, it is not.
And why have two log messages for the same case?
There is the IPsec profile, and the TLS profile hack. The TLS profile
hack is two calls to NSS for validation, once as a "TLS client" and if
that fails another try as a "TLS server".
I have rewritten (but not published) the code in a way that is
clearer, but still not clear enough.
Talk to me before publishing :)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
