[Swan-dev] %fromcert

D. Hugh Redelmeier hugh at mimosa.com
Thu Feb 7 16:21:38 UTC 2019

| From: Paul Wouters <paul at nohats.ca>

| On Thu, 7 Feb 2019, D. Hugh Redelmeier wrote:
| > I don't deeply understand what %fromcert is supposed to do.
| >
| > 	git grep -ni "fromcert" doc
| > fails to find an explanation.  Only examples.

Documentation (in programs/configs/d.ipsec.conf/leftid.xml):

	The magic value
	<emphasis remap='B'>%fromcert</emphasis>
	causes the ID to be set to a DN taken from a certificate that is loaded.
	Prior to 2.5.16, this was the default if a certificate was specified.

This doesn't say which certificate (there might be several) or when it
is taken or if it might be taken multiple times.

Logically, one might expect that the name would be reset if the
certificate were unloaded, but it doesn't say that.  Can certificates
be unloaded?  Expiry?  CRL?  Some kind of whack command?

| > My particular concern is that in our code,
| >
| > - a %fromcert in a connection will be mutate to a ID_DER_ASN1_DN by
| >  match_certs_id.  The .name field will come from the certificate's
| >  derName.
| >
| > - this is irreversible
| >
| > - the connection is not required to be an instance.
| >
| > This seems quite wrong.  Surely there should be a way of reversing
| > this.
| Why? For the certificate on the local end, eg if we are left and we have
| a leftert= than doing this once is enough and it never needs to happen
| again. For a right=%any, we do not have rightcert= usually, as we
| instantiate and receive the cert over IKE. For that instance, the same
| rule applies - we never want to change it again.

Are you saying that it only applies to a cert that we got through {left,right}cert= ?
The documentation doesn't say that.
I have no idea if the code says that.

| > Surely there should be a way of binding the connection to
| > different certificates at different times, and hence the ID should
| > follow.  Perhaps even several at one time.
| Can you give me an example where that would ever be needed? I cannot
| think of any.

- if the certificate changes.  I don't see why this is logically
  linked with loading a conn and yet that is the only way of resetting
  the %fromcert.

- there are multiple certificates presented to match_certs_id.  Any of
  or all of their derNames might be suitable.

More information about the Swan-dev mailing list