[Swan-dev] pluto: Fix bogus "no RSA public key known for '%fromcert'"
Paul Wouters
paul at nohats.ca
Fri May 8 23:20:38 EEST 2015
On Fri, 1 May 2015, Herbert Xu wrote:
> When refine_host_connection tests against a %fromcert RW connection
> followed by other right=%any connections with fixed IDs (e.g.,
> @hostname), it will lose the fromcert setting. So when it does
> eventually return with the %fromcert RW connection fromcert will
> be set to false and therefore the actual certificate ID won't be
> copied into spd.that.id, resulting in a bogus "no RSA public key
> known for '%fromcert'".
>
> This error won't happen if the order of matching is reversed and
> the %fromcert connection gets tested last. So that's why the
> conencton sometimes works but often fails with an authentication
> error.
>
> This patch fixes it by keeping the fromcert setting of the best
> match.
Applied. thanks!
Paul
More information about the Swan-dev
mailing list