[Swan-dev] commit 9bc2e4e7f61 broke self-signed certs
Paul Wouters
paul at nohats.ca
Tue Nov 12 01:51:05 UTC 2019
On Sun, 10 Nov 2019, Andrew Cagney wrote:
> BTW, just a sanity check. Have you tried the "fixed test" on the code
> prior to commit 9bc... (i.e., with all the SKIP cruft?).
It also fails there.
>> It looks like it is checking that there's a root ca, and when there
>> isn't barf. A correctly set up and installed self signed cert should
>> have been returned?
These are actually not self-signed certs. These are "hardcoded" certs in
leftcert= and rightcert=
>>> Removing the hunk fixed my issue. Is there a problem later in the code
>>> that assumes root_certs != NULL ?
>>>>> introduced this code:
>>>>>
>>>>> if (!pexpect(root_certs != NULL) || CERT_LIST_EMPTY(root_certs)) {
>>>>> libreswan_log("No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.");
>>>>> return NULL;
>>>>> }
I still think this check should go away.
Paul
More information about the Swan-dev
mailing list