[Swan-dev] %fromcert
Paul Wouters
paul at nohats.ca
Thu Feb 7 15:40:19 UTC 2019
On Thu, 7 Feb 2019, D. Hugh Redelmeier wrote:
> I don't deeply understand what %fromcert is supposed to do.
>
> git grep -ni "fromcert" doc
> fails to find an explanation. Only examples.
>
> My particular concern is that in our code,
>
> - a %fromcert in a connection will be mutate to a ID_DER_ASN1_DN by
> match_certs_id. The .name field will come from the certificate's
> derName.
>
> - this is irreversible
>
> - the connection is not required to be an instance.
>
> This seems quite wrong. Surely there should be a way of reversing
> this.
Why? For the certificate on the local end, eg if we are left and we have
a leftert= than doing this once is enough and it never needs to happen
again. For a right=%any, we do not have rightcert= usually, as we
instantiate and receive the cert over IKE. For that instance, the same
rule applies - we never want to change it again.
> Surely there should be a way of binding the connection to
> different certificates at different times, and hence the ID should
> follow. Perhaps even several at one time.
Can you give me an example where that would ever be needed? I cannot
think of any.
> Can we have some documentation? Or did I miss some documentation?
> That would let me figure out if the surprising behaviour matches some
> intention.
%fromcert is documentd in "man ipsec.conf"
Paul
More information about the Swan-dev
mailing list