[strongSwan] swanctl unloads private key on startup (not desired)

Tobias Brunner tobias at strongswan.org
Fri May 12 09:19:34 CEST 2017

Hi Stephen,

> On startup, swanctl seems to load and then immediately unload the
> private key associated with the "local" cert:
>     10[CFG] loaded RSA private key
>     10[CFG] unloaded private key with id
> 4d12e9d018870dfc33ddd431233ec05a97498ccc

I was able to reproduce this issue.  It happens if keys are unencrypted
and --load-creds is called multiple times (so workarounds are to encrypt
the key or to call --load-creds only once).  There was a stray call to a
function that didn't do the accounting regarding used/unused keys.  A
fix is available in the swanctl-load-key branch [1].

> (what is a "removed secret"?)

A secret that's not loaded with swanctl anymore (e.g. if you removed it
in swanctl.conf or on disk or replaced it with a new one, i.e. the
fingerprint changed).



More information about the Users mailing list