> On Sep 30, 2015, at 6:09 PM, Reyk Floeter <r...@openbsd.org> wrote: > >> On Wed, Sep 30, 2015 at 04:30:15PM +0100, Stuart Henderson wrote: >>> On 2015/09/30 17:17, Reyk Floeter wrote: >>> The attached diff always responds with a CERT or public key. If the >>> peer didn't send a CERTREQ, iked now picks a cert based on its own >>> trusted CAs (which usually includes the CA that signed your local >>> cert). >> >> This diff looks sane, OK with me, though I don't have a way to test it. > > Testing it with non-iOS implementations would also help :) >
I'll happily test against iOS 9.1, El Capitan ( 10.11 and 10.11.1 ). As I'm in Sweden for EuroBSD and need to connect back to the US - it's easy enough. >> That may also fix a problem with IKEv2 on BlackBerry and Firebrick >> if my diff from https://marc.info/?l=openbsd-misc&m=143594978109212&w=2 >> is added on top of this. (I don't have any of this hardware myself though). > > Your diff under the URL above looks right - OK. If we received an > empty CERTREQ, I think it is safe to ignore it and to assume that we > didn't receive a valid CERTREQ at all. -bp @creepingfur
