[Swan-dev] ikev2: drop 'certificate verified OK' message

Andrew Cagney andrew.cagney at gmail.com
Fri Apr 9 23:58:06 UTC 2021


On Fri, 9 Apr 2021 at 17:46, Andrew Cagney <andrew.cagney at gmail.com> wrote:

>
>
> On Fri, 9 Apr 2021 at 16:39, Paul Wouters <paul at nohats.ca> wrote:
>
>>
>>
>> > New commits:
>> > commit 93cd3bfde96eb5539e6ec06c85eefbf520a19aa4
>> > Merge: aa06e23 8ad8bce
>> > Author: Andrew Cagney <cagney at gnu.org>
>> > Date:   Fri Apr 9 16:10:20 2021 -0400
>> >
>> >     ikev2: drop 'certificate verified OK' message
>> >
>> >     covered by the authenticated message
>>
>> But is it covered when the authentication fails? Eg when the certificate
>> is valid and authenticated but the IKE peer ID mismatches?
>>
>>
> Grepping for 'authentication failed: ' shows:
>
> authentication failed: using RSA with SHA2_512 for 'C=CA, ST=Ontario,
> L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org,
> E=user-west at testing.libreswan.org' tried preloaded: *AwEAAbyhB
>
> which is close.  If the peer's cert validates, matches the ID, but doesn't
> work, it should emit '... tried peer: *...'' but I couldn't find a test
> proving this.
>
> Is that the case you're thinking of?
>

BTW, I've come across this:

-002 "nss-cert-incorrect" #3: certificate verified OK:
E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
 003 "nss-cert-incorrect" #3: ID_DER_ASN1_DN
'E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match
expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=road.testing.libreswan.org,
E=user-road at testing.libreswan.org'
 002 "nss-cert-incorrect" #3: Peer CERT payload SubjectAltName does
not match peer ID for this connection

002 "nss-cert-incorrect" #3: X509: connection failed due to unmatched IKE
ID in certificate SAN

That's three log lines effectively saying the same thing, yet not one
spells out that 'authentication failed' -/ I'll put that down as next for
my hit list.


>
>
>
> Paul
>> _______________________________________________
>> Swan-dev mailing list
>> Swan-dev at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210409/2b606afe/attachment.html>


More information about the Swan-dev mailing list