[Swan-dev] commit 9bc2e4e7f61 broke self-signed certs
Paul Wouters
paul at nohats.ca
Sun Nov 10 16:14:05 UTC 2019
On Sun, 10 Nov 2019, Andrew Cagney wrote:
> How so?
>
> The test results https://testing.libreswan.org/ from the commit
> https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/ and test
> run https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/x509-pluto-05/OUTPUT/
> show the test passing.
I think during those tests,there was still an ec based CA cert in the
nss db. It did not do anything for the RSA certs validating, but it
prevented the code below from firing.
Removing the hunk fixed my issue. Is there a problem later in the code
that assumes root_certs != NULL ?
Paul
> On Sat, 9 Nov 2019 at 16:43, Paul Wouters <paul at nohats.ca> wrote:
>>
>>
>> This commit:
>>
>> commit 9bc2e4e7f61ec5e4bfd303614974559ce389fbf4
>> Author: Andrew Cagney <cagney at gnu.org>
>> Date: Sun Jan 13 16:17:09 2019 -0500
>>
>> x509: eliminate VERIFY_RET* replacing verify_and_cache_chain() with find_and_verify_certs()
>>
>>
>>
>> introduced this code:
>>
>> if (!pexpect(root_certs != NULL) || CERT_LIST_EMPTY(root_certs)) {
>> libreswan_log("No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.");
>> return NULL;
>> }
>>
>> This broke x509-pluto-05 that uses two selfsigned certs without CA.
>>
>> Paul
>>
>> _______________________________________________
>> Swan-dev mailing list
>> Swan-dev at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
More information about the Swan-dev
mailing list