<div dir="ltr">Hi Martin,<div><br></div><div>Is it possible to share patch details that we can apply over v5.2? </div><div>I need changes that will re/unload CA certificates referenced in ipsec.conf ca sections via "<span style="font-size:12.8000001907349px">ipsec</span></div><span style="font-size:12.8000001907349px">update" command.</span><div><br></div><div><span style="font-size:12.8000001907349px">Using the link you shared I am not able to identify how to get to the changed files of the 6 patches that you have mentioned in the link.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><br></div><div><span style="font-size:12.8000001907349px">BR</span></div><div><span style="font-size:12.8000001907349px">Sajal</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 13, 2015 at 9:38 PM, Sajal Malhotra <span dir="ltr"><<a href="mailto:sajalmalhotra@gmail.com" target="_blank">sajalmalhotra@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><p dir="ltr">Thanks Martin for a quick reply.<br>
I was looking at link for patches that you shared however could not identify which 6 patches include the fix as there are many patches available on this link:</p><p dir="ltr"><a href="http://git.strongswan.org/?p=strongswan.git;a=shortlog" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=shortlog</a><br></p><p><br></p><p>BR</p><span class="HOEnZb"><font color="#888888"><p>Sajal</p></font></span><div><div class="h5"><p dir="ltr"><br></p><p dir="ltr"><br></p>
<div class="gmail_quote">On May 13, 2015 3:17 PM, "Martin Willi" <<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
<br>
> ca section1<br>
> cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem<br>
<br>
> 6. After removing this and executing "ipsec update" we expect that the<br>
> SA will not get established as the end which does not have root CA of<br>
> peer will reject the IKE_AUTH.<br>
<br>
All CA certificates placed under the cacerts directory get loaded<br>
implicitly. The ipsec.conf ca section is there to load CA certificates<br>
from other locations, or to define additional properties for that CA<br>
(refer to the ipsec.conf manpage for details).<br>
<br>
Further, CA certificate unloading was not supported until 5.3.0, see<br>
[1]. With that version, you can re/unload all CA certificates from the<br>
cacerts directory using the "ipsec reread" command, or use "ipsec<br>
update" to re/unload CA certificates referenced in ipsec.conf ca<br>
sections.<br>
<br>
Regards<br>
Martin<br>
<br>
[1]<a href="https://wiki.strongswan.org/issues/842" target="_blank">https://wiki.strongswan.org/issues/842</a><br>
<br>
</blockquote></div>
</div></div></div>
</blockquote></div><br></div>