FYI, I've updated/merged/cleaned out these code paths:
- only main mode responder and IKE_AUTH responder call refine_host_connection*() no other code path can change the connection during AUTH (not to be confused with TS) - all code paths use update_peer_id() to select the peer; if you've thoughts about the following two points; please add them to the bug: -> when %fromcert and no certs, peer ID must be a DN (some code paths didn't enforce this) https://github.com/libreswan/libreswan/issues/600 -> when ALLOW_NO_SAN ID is not updated (some did, some didn't) https://github.com/libreswan/libreswan/issues/597 - Aggressive Mode responder selects the peer ID during the first request (before it was pretty vague) -> if no certs arrive during the first request and %fromcert, ID is updated; then -> if certs arrive during the second request, they get checked at that point I see zero fails. But I'm sure we've WIP tests lurking that perhaps should be updated and checked? _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
