On Sun, 10 Nov 2019, Andrew Cagney wrote:
How so?
The test results https://testing.libreswan.org/ from the commit
https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/ and test
run
https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/x509-pluto-05/OUTPUT/
show the test passing.
I think during those tests,there was still an ec based CA cert in the
nss db. It did not do anything for the RSA certs validating, but it
prevented the code below from firing.
Removing the hunk fixed my issue. Is there a problem later in the code
that assumes root_certs != NULL ?
Paul
On Sat, 9 Nov 2019 at 16:43, Paul Wouters <[email protected]> wrote:
This commit:
commit 9bc2e4e7f61ec5e4bfd303614974559ce389fbf4
Author: Andrew Cagney <[email protected]>
Date: Sun Jan 13 16:17:09 2019 -0500
x509: eliminate VERIFY_RET* replacing verify_and_cache_chain() with
find_and_verify_certs()
introduced this code:
if (!pexpect(root_certs != NULL) || CERT_LIST_EMPTY(root_certs)) {
libreswan_log("No Certificate Authority in NSS Certificate DB!
Certificate payloads discarded.");
return NULL;
}
This broke x509-pluto-05 that uses two selfsigned certs without CA.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
