[Swan-dev] CA chains / Bug 182

Matt Rogers mrogers at redhat.com
Fri Aug 15 20:12:01 EEST 2014

Hey all,

I pushed the branch for this so I can start getting some eyes on it. Test cases
are on the way. A summary of the changes:

- Added load_end_ca_path() to load the available intermediate CA certs into the 

- Added the connection option "sendca=none|issuer|all". This is a very basic way
  of choosing the delivery policy, so I'd like some ideas here. I chose none as
  the default which is the previous behavior. Should this change? 

- This still just uses the CERTREQ as an indication to send an end cert, and the
  sendca= policy and availability of the end cert's CA chain dictates how much of
  its chain to send. ikev1_ship_ca_chain() would need improvement to incorporate 
  the CERTREQ contents into the decision as defined by RFC4945

- ikev1_ship_CERT()'s code was floating out there, and it just needed to be
  turned into a real function.

- receiving certs needed improvements to ikev1_decode_cert() and
  store_x509certs(). Received CA certs are added to the global authcert list and
  removed when the connection is deleted. Added an alternate cert list to 
  verify_x509cert() so recieved CAs can be verified through their own chain
  first before adding them to the global list.

Among other small changes. 


More information about the Swan-dev mailing list