[Swan-dev] can add connection require a private key?

Andrew Cagney andrew.cagney at gmail.com
Tue Sep 22 00:15:54 UTC 2020

On Sun, 20 Sep 2020 at 22:16, Paul Wouters <paul at nohats.ca> wrote:

> On Sun, 20 Sep 2020, Andrew Cagney wrote:
> > - if orient() tries to load a cert and fails, should the connection be
> tossed or left unoriented?
> It's too late than isn't it? The connection is already loaded before
> orient() can be called on it.
> > First, it looks like message generated by "ipsec whack --label
> 'SAwest-east leftrsasigkey' --keyid
> > "@west" --pubkeyrsa ..." should trigger an attempt to load the
> corresponding private key (but ignore
> > failure). Both of these:
> >
> https://testing.libreswan.org/v3.30-1714-gcab2172733-main/delete-sa-01/OUTPUT/west.console.txt
> >
> https://testing.libreswan.org/v3.30-1714-gcab2172733-main/ikev2-55-ipseckey-02/OUTPUT/east.console.diff
> > were relying on *.secrets triggering an attempt to load the private key.

I believe these are fixed.

A follow-up is to look at dropping how rsasigkey=... causes the key to be
added to the cache (why not just bind it to its connection).

> >
> > and this leads to a potential refinement:
> >
> > - "add" triggers a lazy attempt at loading the private key - this
> already happens with certificates (it
> > warns when the private key is missing)

I'm probably going to push this.
It also logs a message (but not to whack) when the private key gets loaded
(vs found in the cache).

> > - orient() can then check that the public / private key is available
> However this can be left until post 4.0.
I'm seeing tests where the preloaded private key gets deleted while the
connection is up.  get_connection_private_key() then re-loads it.

> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200921/9cc6db59/attachment.html>

More information about the Swan-dev mailing list