On Sun, 20 Sep 2020, Andrew Cagney wrote:
- if orient() tries to load a cert and fails, should the connection be tossed or left unoriented?
It's too late than isn't it? The connection is already loaded before orient() can be called on it.
First, it looks like message generated by "ipsec whack --label 'SAwest-east leftrsasigkey' --keyid "@west" --pubkeyrsa ..." should trigger an attempt to load the corresponding private key (but ignore failure). Both of these: https://testing.libreswan.org/v3.30-1714-gcab2172733-main/delete-sa-01/OUTPUT/west.console.txt https://testing.libreswan.org/v3.30-1714-gcab2172733-main/ikev2-55-ipseckey-02/OUTPUT/east.console.diff were relying on *.secrets triggering an attempt to load the private key. and this leads to a potential refinement: - "add" triggers a lazy attempt at loading the private key - this already happens with certificates (it warns when the private key is missing) - orient() can then check that the public / private key is available
Okay? Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
