[strongSwan] swanctl unloads private key on startup (not desired)
Tobias Brunner
tobias at strongswan.org
Fri May 12 09:19:34 CEST 2017
Hi Stephen,
> On startup, swanctl seems to load and then immediately unload the
> private key associated with the "local" cert:
> 10[CFG] loaded RSA private key
> 10[CFG] unloaded private key with id
> 4d12e9d018870dfc33ddd431233ec05a97498ccc
I was able to reproduce this issue. It happens if keys are unencrypted
and --load-creds is called multiple times (so workarounds are to encrypt
the key or to call --load-creds only once). There was a stray call to a
function that didn't do the accounting regarding used/unused keys. A
fix is available in the swanctl-load-key branch [1].
> (what is a "removed secret"?)
A secret that's not loaded with swanctl anymore (e.g. if you removed it
in swanctl.conf or on disk or replaced it with a new one, i.e. the
fingerprint changed).
Regards,
Tobias
[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/swanctl-load-key
More information about the Users
mailing list