Hi Paul
On Mon, Jun 28, 2010 at 01:05:56PM -0400, Paul Wouters wrote:
> On Mon, 28 Jun 2010, Rene Mayrhofer wrote:
>
> >On Monday 28 June 2010 07:51:07 Harald Jenny wrote:
> >>Sorry Paul but I don't think the currect behaviour is correct - there is no
> >>indication for the user why *id is ignored and this is not good :-(.
> >I would tend to agree with that...
>
> On 2.6, it should have a leftid=%fromcert
>
> This change was made because in 2.4 it ALWAYS took the id from cert, and you
> could
> not override it. Now it takes the id from leftid= but you have to tell it to
> pick
> it up from the cert.
>
> But imho, this has nothing to do with this "bug". If you have a conn with a
> broken
> leftcert= pointing to a non-existing file, it can't work. It cannot grab the
> id from
> the cert since the cert is not there. I still dont understand how that could
> ever "work"
> on 2.4.
>
> I am getting increasingly frustrated with this. It needs a much better
> explanation of
> how it can "work". And "work" should be more then "loads the conn that has no
> chance of
> ever working"
I think I found something:
in programs/pluto/connections.c, line 816
if(!valid_cert) {
whack_log(RC_FATAL, "can not load certificate file %s\n"
, filename);
/* clear the ID, we're expecting it via %fromcert */
dst->id.kind = ID_NONE;
return;
}
This is an incorrect assumption because since version 2.5.16 leftid does not
default anymore to %fromcert. On the other hand it seems that in 2.4.12 the
leftid value is kept even when no leftcert is present. What implications would
a removal of
dst->id.kind = ID_NONE;
have?
>
> Paul
Kind regards
Harald
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
