paul at nohats.ca
Tue Sep 22 21:20:33 UTC 2020
On Tue, 22 Sep 2020, Andrew Cagney wrote:
> Regardless of the end, a line like:
> will always add public keys like:
> (generated?) leftid / leftrsasigkey
> (generated?) leftid / leftrsasigkey2
> to the list of raw public keys. Left will then try all raw public keys matching <id>.
> The problem is that the above aren't tied to "left". Any connection, provided the id matches, will use the raw public key; and
> sometimes use the wrong one.
> Are there any ideas on how to extract us from this quirky mis-feature? For instance:
> - let ipsec.secrets define raw public keys?
> - come up with a syntax that makes it clear that it is shared?
> - tie it to the connection's end somehow?
> - drop it?
leftrsasikey2 feature should be dropped. It was meant to allow key
rollover when publishing IPSECKEY's in DNS. But our recent OE work
had shown that this never worked, and still does not work. And what
you really need anyway is publishing multiple DNS records and
than just instantly switch leftrsasigkey=
We found it could never use leftrsasigkey2. So I think it is a good
candidate for libreswan 4.0 removal.
More information about the Swan-dev