This could be tricky, We support authby=rsasig,null
But the goal of that option is not to fallback to null due to bad cert. So unless anyone finds a reason to, I’m fine with not loading such a connection. Paul Sent from mobile device > On Apr 17, 2019, at 19:44, Andrew Cagney <[email protected]> wrote: > > I'm looking at this code in connections.c > > same_leftca = extract_end(&c->spd.this, &wm->left, "left"); > same_rightca = extract_end(&c->spd.that, &wm->right, "right"); > > if (same_rightca == -1 || same_leftca == -1) { > loglog(RC_LOG_SERIOUS, "extract_end() as failed - ID or > certificate might be unset and cause failure"); > } > > added with: > > commit becaafd3c62f4209b1d8d882ab194c9b129d49ef > pluto: extract_end() ignored failures and stumbled on. Now it > aborts properly. > > While extract_end() is aborted, the connection proper still gets > added. Should the code instead reject the connection: > > - when the cert is unknown > - when the cert is "invalid" (see bug 339) > > ? > > Andrew > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
