[Openswan dev] Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

Harald Jenny harald at a-little-linux-box.at
Fri Aug 20 09:40:37 EDT 2010


On Thu, Aug 19, 2010 at 11:37:47AM -0400, Paul Wouters wrote:
> On Thu, 19 Aug 2010, Harald Jenny wrote:
> 
> >I think I found something:
> >
> >in programs/pluto/connections.c, line 816
> >
> >           if(!valid_cert) {
> >               whack_log(RC_FATAL, "can not load certificate file %s\n"
> >                         , filename);
> >               /* clear the ID, we're expecting it via %fromcert */
> >               dst->id.kind = ID_NONE;
> >               return;
> >           }
> >
> >This is an incorrect assumption because since version 2.5.16 leftid does not
> >default anymore to %fromcert. On the other hand it seems that in 2.4.12 the
> >leftid value is kept even when no leftcert is present. What implications would
> >a removal of
> >dst->id.kind = ID_NONE;
> >have?
> 
> I don't think it would hurt.

Ok

> But we're still looking at why an incorrectly
> configured configuration that happened to work, "broke".

Because of the code changes - in 2.4 leftid was automatically set then a
leftcert was set, but on the other hand could be overriden by the leftid
param. Setting a custom leftid after first sourcing the leftid from leftcert
was a reasonable way therefore, on the other hand unsetting the leftid at the
point when the attempt to source the file failed was ok too. In 2.6 the leftid
gets dropped regardless if it from cert or not when the file is invalid.

> 
> The check could be changed to see if dst->id.kind is loaded with "%fromcert"
> before clearing it.

Sounds reasonable.

> 
> Paul

Thanks for your time
Harald

> >>
> >>Paul
> >
> >Kind regards
> >Harald
> >


More information about the Dev mailing list