[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri May 8 23:51:54 EEST 2015
New commits:
commit 50b92e6ef3136679fc29183aab35350ebffcdb81
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri May 8 16:50:27 2015 -0400
debug log: change spelling of nat-t and NAT-t to NAT-T
commit daa6d73f1cac1988c6e5edd622897ef81e2226fc
Author: Herbert Xu <herbert at gondor.apana.org.au>
Date: Fri May 8 16:24:19 2015 -0400
pluto: simplify if conditions for deciding and performing NAT payload
The numvidtosend++ should really be identical, and while it indirectly
was, this was not obvious due to the call to set_nat_traversal()
commit 9647eb0df272f3cfc4d9232efee35ceb607d2ef7
Author: Herbert Xu <herbert at gondor.apana.org.au>
Date: Fri May 8 16:20:56 2015 -0400
pluto: Fix bogus "no RSA public key known for '%fromcert'"
When refine_host_connection tests against a %fromcert RW connection
followed by other right=%any connections with fixed IDs (e.g.,
@hostname), it will lose the fromcert setting. So when it does
eventually return with the %fromcert RW connection fromcert will
be set to false and therefore the actual certificate ID won't be
copied into spd.that.id, resulting in a bogus "no RSA public key
known for '%fromcert'".
This error won't happen if the order of matching is reversed and
the %fromcert connection gets tested last. So that's why the
conencton sometimes works but often fails with an authentication
error.
This patch fixes it by keeping the fromcert setting of the best
match.
Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: Paul Wouters <pwouters at redhat.com>
More information about the Swan-commit
mailing list