[Swan-dev] match_certs_id()

Paul Wouters paul at nohats.ca
Thu Feb 7 17:51:13 UTC 2019

On Thu, 7 Feb 2019, D. Hugh Redelmeier wrote:

> | - they sometimes call it with a list of more than one cert.
> |   (I know this because I planted a pexpect to test for this.)
> I put a pexpect in match_certs_id to test for cases where the list had
> more than one entry.  Here are all the times it fired during a test
> run:
> testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/OUTPUT/west.console.diff:14:-003 "nss-cert" #2: EXPECTATION FAILED: st != NULL && st->st_event != NULL && st->st_event->ev_type == EVENT_RETRANSMIT (in complete_v2_state_transition at /source/programs/pluto/ikev2.c:1827)

different pexect :)

> testing/pluto/nss-cert-chain-01-ikev2/OUTPUT/east.pluto.log:1758:"nss-cert-chain" #1: EXPECTATION FAILED: cert->next == NULL (in match_certs_id() at x509.c:779)

This does indicate that certificate chains are passed to the function.
Perhaps we are not guaranteed the order of the chain of certificates,
and we still havent figured out which is the EE cert and which is the
intermediary root CA ?


More information about the Swan-dev mailing list