On Wed, Sep 30, 2015 at 04:30:15PM +0100, Stuart Henderson wrote: > On 2015/09/30 17:17, Reyk Floeter wrote: > > The attached diff always responds with a CERT or public key. If the > > peer didn't send a CERTREQ, iked now picks a cert based on its own > > trusted CAs (which usually includes the CA that signed your local > > cert). > > This diff looks sane, OK with me, though I don't have a way to test it. >
Testing it with non-iOS implementations would also help :) > That may also fix a problem with IKEv2 on BlackBerry and Firebrick > if my diff from https://marc.info/?l=openbsd-misc&m=143594978109212&w=2 > is added on top of this. (I don't have any of this hardware myself though). > Your diff under the URL above looks right - OK. If we received an empty CERTREQ, I think it is safe to ignore it and to assume that we didn't receive a valid CERTREQ at all. Reyk
