On Sun, 20 Sep 2020 at 22:16, Paul Wouters <[email protected]> wrote: > On Sun, 20 Sep 2020, Andrew Cagney wrote: > > > - if orient() tries to load a cert and fails, should the connection be > tossed or left unoriented? > > It's too late than isn't it? The connection is already loaded before > orient() can be called on it. > > > First, it looks like message generated by "ipsec whack --label > 'SAwest-east leftrsasigkey' --keyid > > "@west" --pubkeyrsa ..." should trigger an attempt to load the > corresponding private key (but ignore > > failure). Both of these: > > > https://testing.libreswan.org/v3.30-1714-gcab2172733-main/delete-sa-01/OUTPUT/west.console.txt > > > https://testing.libreswan.org/v3.30-1714-gcab2172733-main/ikev2-55-ipseckey-02/OUTPUT/east.console.diff > > were relying on *.secrets triggering an attempt to load the private key. >
I believe these are fixed. A follow-up is to look at dropping how rsasigkey=... causes the key to be added to the cache (why not just bind it to its connection). > > > > and this leads to a potential refinement: > > > > - "add" triggers a lazy attempt at loading the private key - this > already happens with certificates (it > > warns when the private key is missing) > I'm probably going to push this. It also logs a message (but not to whack) when the private key gets loaded (vs found in the cache). > > - orient() can then check that the public / private key is available > > However this can be left until post 4.0. I'm seeing tests where the preloaded private key gets deleted while the connection is up. get_connection_private_key() then re-loads it. > Paul >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
