On 17/02/11 23:49, Timo Teräs wrote:
> On 02/17/2011 03:24 AM, Roman Hoog Antink wrote:
>> While using RSA keys instead of certificates, I get lots of these log
>> messages:
>>
>> racoon: WARNING: CERT validation disabled by configuration
>>
>> I tried all sorts of validate_identifier / validate_cert combinations.
>>
>> (Turning verify_cert on with RSA keys will yield an error "no ID nor
>> CERT found.", so that setting makes no sense anyway.)
>>
>> I wonder if this warning makes any sense at all when not using certificates.
>>
>> What exactly is the security risk meant by that warning when using RSA
>> keys instead of certificates?
>>
>> Maybe we should suppress that warning in oakley.c:1488 when using
>> pre-shared or RSA keys?
>
> Sounds like brain damage to me. If we are using plain RSA from local
> files, it doesn't really make sense to do cert validation.
>
> I'd rather fix the error at oakley.c:1892, since the signature can be
> considered validated if it matched the local RSA pair. This allows as to
> keep "verify_cert yes" and work properly with RSA.
>
> - Timo
You can't use verify_cert=on together with RSA keys. Racoon would crash
in oakley.c:1839.
I still propose to suppress the warning if no certificates are being
used. How would you build an appropriate if statement/condition in order
to replace the 'else' with an 'else if' in oakley.c:1487?
/* Generate a warning if verify_cert */
if (iph1->rmconf->verify_cert) {
plog(LLV_DEBUG, LOCATION, NULL,
"CERT validated\n");
1487: } else {
plog(LLV_WARNING, LOCATION, NULL,
"CERT validation disabled by configuration\n");
}
I walked through the fields of struct remoteconf, but I am no sure. How
about (mycertfile != NULL)?
- Roman
|