[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Thu Feb 21 05:01:25 UTC 2019
New commits:
commit 711267234abdc773e3bb2412cd25dd3397288812
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 20 23:58:58 2019 -0500
documentation: update changes
commit 0e391fb4d696047cec1fa82a7e47d977b64302d8
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 21 00:00:21 2019 -0500
building: just a whitespace change in nss_cert_verify.c
Done separately, so the previous commit is more self-describing
commit 7de7d5cdb6717101b8161891ed4344dfd32f5e4c
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 20 23:51:56 2019 -0500
X509: Don't fail validation on critical flag in Key Usage payloads
When using the NSS IPsec profile for certificate validation, the NSS
library rejects validation if it encounters a critical flag. The NSS
IPsec profile supports ignoring EKU as per RFC 4945.
When not using the NSS IPsec profile, libreswan uses the TLS profile.
It first tries TLS server, then TLS client verification. This NSS profile
accepts critical flags. It does not support ignoring EKU as pre RFC 4945.
As a workaround until NSS updates the IPsec profile processing, libreswan
will now first try to use the NSS IPsec profile. On failure it will use
the NSS TLS profile (as server, then as client, which is the old style
of pre 3.28 verification).
If NSS IPsec profile support is not compiled in, only the TLS profile
(server, then client) will be used, as was the behaviour before 3.28.
More information about the Swan-commit
mailing list