On Fri, 24 Jan 2020, Antony Antony wrote:
while testing xfrmi Tuomo noticed reggression in connswitch code.
It is not a regression. It is a fix. It does show we have another problem with connswitching. This issue, and the OE shunt issue and the two release blockers for 3.30
I didn't yet figure out why c3ac240cb is necessary. So I am not reverting this commit in master yet.
Do not revert it. Without it, the responder does not verify the IKE peer ID used appears on the certificate received. While this is mostly harmless on VPN servers (responders that accept any certificate as long as their CA signed it, irrepective of ID/SAN) it does provide security against a group of servers using certificates and static connections (eg a compromise of one could result in stealing traffic of another non-compromised node) A number of emails were send about this on the team alias. Paul _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev