[Swan-dev] commit 9bc2e4e7f61 broke self-signed certs

Paul Wouters paul at nohats.ca
Tue Nov 12 01:51:05 UTC 2019


On Sun, 10 Nov 2019, Andrew Cagney wrote:

> BTW, just a sanity check.  Have you tried the "fixed test" on the code
> prior to commit 9bc... (i.e., with all the SKIP cruft?).

It also fails there.

>> It looks like it is checking that there's a root ca, and when there
>> isn't barf.  A correctly set up and installed self signed cert should
>> have been returned?

These are actually not self-signed certs. These are "hardcoded" certs in
leftcert= and rightcert=

>>> Removing the hunk fixed my issue. Is there a problem later in the code
>>> that assumes root_certs != NULL ?

>>>>> introduced this code:
>>>>>
>>>>>          if (!pexpect(root_certs != NULL) || CERT_LIST_EMPTY(root_certs)) {
>>>>>                  libreswan_log("No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.");
>>>>>                  return NULL;
>>>>>          }

I still think this check should go away.

Paul


More information about the Swan-dev mailing list