[Swan-dev] commit 9bc2e4e7f61 broke self-signed certs

Andrew Cagney andrew.cagney at gmail.com
Sun Nov 10 18:49:17 UTC 2019 

BTW, just a sanity check.  Have you tried the "fixed test" on the code
prior to commit 9bc... (i.e., with all the SKIP cruft?).

On Sun, 10 Nov 2019 at 12:59, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
> On Sun, 10 Nov 2019 at 11:14, Paul Wouters <paul at nohats.ca> wrote:
> >
> > On Sun, 10 Nov 2019, Andrew Cagney wrote:
> >
> > > How so?
> > >
> > > The test results https://testing.libreswan.org/ from the commit
> > > https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/ and test
> > > run https://testing.libreswan.org/v3.27-603-g9bc2e4e7f-master/x509-pluto-05/OUTPUT/
> > > show the test passing.
> >
> > I think during those tests,there was still an ec based CA cert in the
> > nss db. It did not do anything for the RSA certs validating, but it
> > prevented the code below from firing.
>
> The reverse?
>
> It looks like it is checking that there's a root ca, and when there
> isn't barf.  A correctly set up and installed self signed cert should
> have been returned?
>
> > Removing the hunk fixed my issue. Is there a problem later in the code
> > that assumes root_certs != NULL ?
> >
> > Paul
> >
> > > On Sat, 9 Nov 2019 at 16:43, Paul Wouters <paul at nohats.ca> wrote:
> > >>
> > >>
> > >> This commit:
> > >>
> > >> commit 9bc2e4e7f61ec5e4bfd303614974559ce389fbf4
> > >> Author: Andrew Cagney <cagney at gnu.org>
> > >> Date:   Sun Jan 13 16:17:09 2019 -0500
> > >>
> > >>      x509: eliminate VERIFY_RET* replacing verify_and_cache_chain() with find_and_verify_certs()
> > >>
> > >>
> > >>
> > >> introduced this code:
> > >>
> > >>          if (!pexpect(root_certs != NULL) || CERT_LIST_EMPTY(root_certs)) {
> > >>                  libreswan_log("No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.");
> > >>                  return NULL;
> > >>          }
> > >>
> > >> This broke x509-pluto-05 that uses two selfsigned certs without CA.
> > >>
> > >> Paul
> > >>
> > >> _______________________________________________
> > >> Swan-dev mailing list
> > >> Swan-dev at lists.libreswan.org
> > >> https://lists.libreswan.org/mailman/listinfo/swan-dev
> > >

More information about the Swan-dev mailing list