[Swan-dev] can add connection require a private key?
andrew.cagney at gmail.com
Fri Sep 18 14:40:54 UTC 2020
On Thu, 17 Sep 2020 at 16:05, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 17 Sep 2020, Andrew Cagney wrote:
> > Currently the code just warns when trying to add a connection with no
> private key. Instead much much later - during the auth exchange - the
> > code tries to find the private key.
> > Presumably this is because the end may not need the private key.
> Yes. that is:
> conn test
> rightrsasigkey=%fromcert # implied as default
When loading this conn, pluto does not know if it is left or right. The
> smae config could be used on both endpoints, and somecert would only be
> on one endpoint. whether this is worth supporting is something else. I
> could see where we just always try to load the leftcert= / rightcert=
> and throw an error when we can't load it. The idea behind re-using the
> same config on both sides is slowly vanishing anyway. And if I get to
> do some kind of rewrite with a new config format, then I think I would
> be tempted to use [inifile] type syntax anyway.
> But, if currently the only issue is a "late failure" vs "early failure"
> than I suggest to just leave it as "late failure".
Ah, so there are now 4 places where the check could be made:
-- this is where the cert is currently being checked so, to your point, it
is technically wrong; it does help explain why the code seems so wishy washy
-- which could be during "whack add", "whack listen", or even triggered by
-> "whack up" (i.e., the trigger for the IKE SA init request/response)
-- this is the lazy case
-- during IKE_AUTH - this is where private keys sometimes get loaded
-- in the responder this would mean accepting connections only to toss
them; seems wrong
So here's the next question.
- if orient() tries to load a cert and fails, should the connection be
tossed or left unoriented?
For "whack listen" and ifconfig, the answer is probably yes - having a
connection magically disappear would be confusing. However, for "whack
add" when oriented? I guess leave it unoriented (which is arguably better
then having it added, enabled, but unusable).
> I'm wondering if there's enough information available to determine that
> the private key is required when the connection is being added. If a
> > connection can specify multiple optional auth methods then probably not?
> Perhaps after orienting there is. Before that, I think it is a littly
> > (a case when there isn't is with rsasigkey - that only arrives after the
> connection is added; grrrr)
> I'm fine with that failing to load, provided we would be sure we had
> oriented properly ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev