Matt, thanks for the reply, On 3 February 2015 at 17:27, Matt Rogers <mrog...@redhat.com> wrote:
> Hey, sorry for the late reply here. Been away from email/irc for the > day. In short the dist_certs.py is the WIP replacement for the > shell script, however right now it is only tuned to x509 tests that > are not a part of the make check list. IIRC ones that are still in the > list are just basic cases and use the east/west certs. So for the full > run you will want to still use dist_certs. The problem here is that the old dist_certs file is broken - it dies trying to sign an invalid cert using "openssl ca". While it, in theory, it might be fixable, I don't see any value in the effort. What is being done here is decidedly "off script" so the more powerful combination of a programming language like python and direct openssl library calls is a far better solution(1). > I have a _lot_ of changes to the certificate code on the way and part > of that will be revised set of x509 tests that can be included in make > check, so when we're ready I'll be sure to update it with dist_certs.py Cool. I thought more about the suggestion to add it to swantest and I don't like it - this is part of the build system so should be fully exposed in the Makefiles. Can you check in what you have? Since I'm going to use dist_certs.py regardless, I might as well run the current code. Andrew (1) I speak from experience, I've had to abuse Java's certificate library so it would do decidedly off-script stuff involving HTTPS, certificates, key stores and trust stores. Neither openssl, nor keytool, were sufficient. _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev