[Swan-dev] testing/pluto/ikev2-03-basic-rawrsa-ckaid

Paul Wouters paul at nohats.ca
Sun Feb 3 21:41:15 UTC 2019

On Sun, 3 Feb 2019, Andrew Cagney wrote:

> Subject: Re: [Swan-dev] testing/pluto/ikev2-03-basic-rawrsa-ckaid

>> But what does this really test?
> From my POV, it demonstrates how CKAIDs with raw private keys can
> sometimes seem to work when really they don't.

Okay, so once we support raw RSA that does not require secrets files,
we can rewrite this test case without using includes, so that it becomes

>> conn westnet-eastnet-ikev2
>>         also=east-rightckaid
>>         also=west-leftrsasigkey
>>         also=east-rightrsasigkey

Although, there is a weirdness of using ckaid= as the connection is no
longer symmetrical. That is left can use leftckaid=XXXX, but right
cannot use leftckaid unless it has a copy of the key in NSS.

Maybe allowing left/rightckaid= was not a good idea after all? But I
guess now we are stuck with it.


More information about the Swan-dev mailing list