[Swan-dev] rightcert=north rightca=%same

Paul Wouters paul at nohats.ca
Thu Oct 29 03:14:50 UTC 2020

On Wed, 28 Oct 2020, Andrew Cagney wrote:

> in ikev2-x509-20-multicert-rightid-san-wildcard, this causes right to
> leak "issuer ca":
> https://testing.libreswan.org/v4.1-83-g9d775e57d4-main/ikev2-x509-20-multicert-rightid-san-wildcard/OUTPUT/east.console.diff
> - right.ca=%same, so remember to set right.ca to left.ca
> - rightcert=north, so set right.ca to clone(north.der, "issuer ca")
> - oh, just remembered, set right.ca to clone(left.ca), leaking old value
> (vis-à-vis left)
> So is the above valid?

The configuration is valid. Although rightca=%same is likely not needed
there, as %same is also the default. So this should show up too in cases
without leftca=%same or rightca=%same.


More information about the Swan-dev mailing list