[Swan-dev] ikev2: drop 'certificate verified OK' message
Tuomo Soini
tis at foobar.fi
Sun Apr 11 08:19:32 UTC 2021
On Fri, 9 Apr 2021 19:58:06 -0400
Andrew Cagney <andrew.cagney at gmail.com> wrote:
> On Fri, 9 Apr 2021 at 17:46, Andrew Cagney <andrew.cagney at gmail.com>
> wrote:
> BTW, I've come across this:
>
> -002 "nss-cert-incorrect" #3: certificate verified OK:
> E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
> Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
> 003 "nss-cert-incorrect" #3: ID_DER_ASN1_DN
> 'E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
> Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match
> expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
> Department, CN=road.testing.libreswan.org,
> E=user-road at testing.libreswan.org'
> 002 "nss-cert-incorrect" #3: Peer CERT payload SubjectAltName does
> not match peer ID for this connection
>
> 002 "nss-cert-incorrect" #3: X509: connection failed due to unmatched
> IKE ID in certificate SAN
>
> That's three log lines effectively saying the same thing, yet not one
> spells out that 'authentication failed' -/ I'll put that down as next
> for my hit list.
No. those three are not same. First one is certificate subject of
actual certificate. Second one is ID_DER_ASN1_DN (which you can
actually set manually too creating mismatch with certificate) so these
two lines are important to print, both.
Here was no line to remove or we loose critical information.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan-dev
mailing list