[Swan-dev] can add connection require a private key?

Paul Wouters paul at nohats.ca
Mon Sep 21 02:16:29 UTC 2020

On Sun, 20 Sep 2020, Andrew Cagney wrote:

> - if orient() tries to load a cert and fails, should the connection be tossed or left unoriented?

It's too late than isn't it? The connection is already loaded before
orient() can be called on it.

> First, it looks like message generated by "ipsec whack --label 'SAwest-east leftrsasigkey' --keyid
> "@west" --pubkeyrsa ..." should trigger an attempt to load the corresponding private key (but ignore
> failure). Both of these:
> https://testing.libreswan.org/v3.30-1714-gcab2172733-main/delete-sa-01/OUTPUT/west.console.txt
> https://testing.libreswan.org/v3.30-1714-gcab2172733-main/ikev2-55-ipseckey-02/OUTPUT/east.console.diff
> were relying on *.secrets triggering an attempt to load the private key.
> and this leads to a potential refinement:
> - "add" triggers a lazy attempt at loading the private key - this already happens with certificates (it
> warns when the private key is missing)
> - orient() can then check that the public / private key is available



More information about the Swan-dev mailing list