[Swan-dev] X509: more clearly log warning/errors based on NSS profile used

Paul Wouters paul at nohats.ca
Fri Feb 22 21:27:45 UTC 2019

On Fri, 22 Feb 2019, D. Hugh Redelmeier wrote:

> commit 30f132ab693ccc852dc03c24879f1eae07dd1dd1
> Author: Paul Wouters <pwouters at redhat.com>
> Date:   Fri Feb 22 14:30:24 2019 -0500
> 	X509: more clearly log warning/errors based on NSS profile used
> I'm working on this code too :-(

Sorry :(

> There is evidence that you (Paul) don't understand the code 100%
> either.

Unfortunately, I spend a lot of time on this and know exactly what is
going on :)

> -		log_bad_cert(cur_log->head);
> +		log_bad_cert(usage == certificateUsageSSLClient ? "Warning" : "ERROR",
> +				cur_log->head);
> At this point, it is an ERROR.  There is no way that a different
> "usage" will be tried.  As the comments above this say, the control
> flow is tricky.

It is an error in validation for sure. But we are now trying TWO
different kinds of certificate validation in NSS. One using its new
"IPsec profile" and one using the old style "TLS profile hack".

If the new IPsec profile method fails, we fall back to the old TLS hack
method. The change in this commit prevents the IPsec profile from
prematurely logging a fatal error in case the TLS profile succeeds.

>From NSS points of view, the IPsec profile failure is a failure.
>From libreswan's point of view, it is not.

> And why have two log messages for the same case?

There is the IPsec profile, and the TLS profile hack. The TLS profile
hack is two calls to NSS for validation, once as a "TLS client" and if
that fails another try as a "TLS server".

> I have rewritten (but not published) the code in a way that is
> clearer, but still not clear enough.

Talk to me before publishing :)


More information about the Swan-dev mailing list