BTW, just a sanity check. Have you tried the "fixed test" on the code prior to commit 9bc... (i.e., with all the SKIP cruft?).
On Sun, 10 Nov 2019 at 12:59, Andrew Cagney <[email protected]> wrote: > > On Sun, 10 Nov 2019 at 11:14, Paul Wouters <[email protected]> wrote: > > > > On Sun, 10 Nov 2019, Andrew Cagney wrote: > > > > > How so? > > > > > > The test results https://testing.libreswan.org/ from the commit > > > https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/ and test > > > run > > > https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/x509-pluto-05/OUTPUT/ > > > show the test passing. > > > > I think during those tests,there was still an ec based CA cert in the > > nss db. It did not do anything for the RSA certs validating, but it > > prevented the code below from firing. > > The reverse? > > It looks like it is checking that there's a root ca, and when there > isn't barf. A correctly set up and installed self signed cert should > have been returned? > > > Removing the hunk fixed my issue. Is there a problem later in the code > > that assumes root_certs != NULL ? > > > > Paul > > > > > On Sat, 9 Nov 2019 at 16:43, Paul Wouters <[email protected]> wrote: > > >> > > >> > > >> This commit: > > >> > > >> commit 9bc2e4e7f61ec5e4bfd303614974559ce389fbf4 > > >> Author: Andrew Cagney <[email protected]> > > >> Date: Sun Jan 13 16:17:09 2019 -0500 > > >> > > >> x509: eliminate VERIFY_RET* replacing verify_and_cache_chain() with > > >> find_and_verify_certs() > > >> > > >> > > >> > > >> introduced this code: > > >> > > >> if (!pexpect(root_certs != NULL) || > > >> CERT_LIST_EMPTY(root_certs)) { > > >> libreswan_log("No Certificate Authority in NSS > > >> Certificate DB! Certificate payloads discarded."); > > >> return NULL; > > >> } > > >> > > >> This broke x509-pluto-05 that uses two selfsigned certs without CA. > > >> > > >> Paul > > >> > > >> _______________________________________________ > > >> Swan-dev mailing list > > >> [email protected] > > >> https://lists.libreswan.org/mailman/listinfo/swan-dev > > > _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
