[Swan-dev] match_certs_id()
D. Hugh Redelmeier
hugh at mimosa.com
Thu Feb 7 18:42:06 UTC 2019
| From: Paul Wouters <paul at nohats.ca>
| > | - they sometimes call it with a list of more than one cert.
| > | (I know this because I planted a pexpect to test for this.)
| >
| > I put a pexpect in match_certs_id to test for cases where the list had
| > more than one entry. Here are all the times it fired during a test
| > run:
| >
| > testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/OUTPUT/west.console.diff:14:-003
| > "nss-cert" #2: EXPECTATION FAILED: st != NULL && st->st_event != NULL &&
| > st->st_event->ev_type == EVENT_RETRANSMIT (in complete_v2_state_transition
| > at /source/programs/pluto/ikev2.c:1827)
|
| different pexect :)
Yes.
| > testing/pluto/nss-cert-chain-01-ikev2/OUTPUT/east.pluto.log:1758:"nss-cert-chain"
| > #1: EXPECTATION FAILED: cert->next == NULL (in match_certs_id() at
| > x509.c:779)
|
| This does indicate that certificate chains are passed to the function.
| Perhaps we are not guaranteed the order of the chain of certificates,
| and we still havent figured out which is the EE cert and which is the
| intermediary root CA ?
There are 29 instances of this in the test run.
What should be happening?
This is a matter of design and not conjecture. But the design isn't
recorded. It needs to be.
More information about the Swan-dev
mailing list