[Swan-dev] %fromcert

Paul Wouters paul at nohats.ca
Thu Feb 7 15:40:19 UTC 2019

On Thu, 7 Feb 2019, D. Hugh Redelmeier wrote:

> I don't deeply understand what %fromcert is supposed to do.
> 	git grep -ni "fromcert" doc
> fails to find an explanation.  Only examples.
> My particular concern is that in our code,
> - a %fromcert in a connection will be mutate to a ID_DER_ASN1_DN by
>  match_certs_id.  The .name field will come from the certificate's
>  derName.
> - this is irreversible
> - the connection is not required to be an instance.
> This seems quite wrong.  Surely there should be a way of reversing
> this.

Why? For the certificate on the local end, eg if we are left and we have
a leftert= than doing this once is enough and it never needs to happen
again. For a right=%any, we do not have rightcert= usually, as we
instantiate and receive the cert over IKE. For that instance, the same
rule applies - we never want to change it again.

> Surely there should be a way of binding the connection to
> different certificates at different times, and hence the ID should
> follow.  Perhaps even several at one time.

Can you give me an example where that would ever be needed? I cannot
think of any.

> Can we have some documentation?  Or did I miss some documentation?
> That would let me figure out if the surprising behaviour matches some
> intention.

%fromcert is documentd in "man ipsec.conf"


More information about the Swan-dev mailing list