[Swan-dev] pluto: Fix bogus "no RSA public key known for '%fromcert'"

Paul Wouters paul at nohats.ca
Fri May 8 23:20:38 EEST 2015

On Fri, 1 May 2015, Herbert Xu wrote:

> When refine_host_connection tests against a %fromcert RW connection
> followed by other right=%any connections with fixed IDs (e.g.,
> @hostname), it will lose the fromcert setting.  So when it does
> eventually return with the %fromcert RW connection fromcert will
> be set to false and therefore the actual certificate ID won't be
> copied into spd.that.id, resulting in a bogus "no RSA public key
> known for '%fromcert'".
> This error won't happen if the order of matching is reversed and
> the %fromcert connection gets tested last.  So that's why the
> conencton sometimes works but often fails with an authentication
> error.
> This patch fixes it by keeping the fromcert setting of the best
> match.

Applied. thanks!


More information about the Swan-dev mailing list