On Tue, 22 Sep 2020, Andrew Cagney wrote:
Regardless of the end, a line like:
leftrsasigkey=
leftrsasigkey2=...
will always add public keys like:
(generated?) leftid / leftrsasigkey
(generated?) leftid / leftrsasigkey2
to the list of raw public keys. Left will then try all raw public keys matching
<id>.
The problem is that the above aren't tied to "left". Any connection, provided
the id matches, will use the raw public key; and
sometimes use the wrong one.
Are there any ideas on how to extract us from this quirky mis-feature? For
instance:
- let ipsec.secrets define raw public keys?
- come up with a syntax that makes it clear that it is shared?
- tie it to the connection's end somehow?
- drop it?
leftrsasikey2 feature should be dropped. It was meant to allow key
rollover when publishing IPSECKEY's in DNS. But our recent OE work
had shown that this never worked, and still does not work. And what
you really need anyway is publishing multiple DNS records and
than just instantly switch leftrsasigkey=
We found it could never use leftrsasigkey2. So I think it is a good
candidate for libreswan 4.0 removal.
Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
