[Swan-dev] ikev2: drop 'certificate verified OK' message
Andrew Cagney
andrew.cagney at gmail.com
Sun Apr 11 14:31:01 UTC 2021
On Sun, 11 Apr 2021 at 04:26, Tuomo Soini <tis at foobar.fi> wrote:
> On Fri, 9 Apr 2021 19:58:06 -0400
> Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
> > On Fri, 9 Apr 2021 at 17:46, Andrew Cagney <andrew.cagney at gmail.com>
> > wrote:
> > BTW, I've come across this:
> >
> > -002 "nss-cert-incorrect" #3: certificate verified OK:
> > E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
> > Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
>
> > 003 "nss-cert-incorrect" #3: ID_DER_ASN1_DN
> > 'E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
> > Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match
> > expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
> > Department, CN=road.testing.libreswan.org,
> > E=user-road at testing.libreswan.org'
>
> > 002 "nss-cert-incorrect" #3: Peer CERT payload SubjectAltName does
> > not match peer ID for this connection
These need to be merged.
>
> > 002 "nss-cert-incorrect" #3: X509: connection failed due to unmatched
> > IKE ID in certificate SAN
>
And this dropped. It's just restating the previous line.
>
> > That's three log lines effectively saying the same thing, yet not one
> > spells out that 'authentication failed' -/ I'll put that down as next
> > for my hit list.
>
> No. those three are not same. First one is certificate subject of
> actual certificate. Second one is ID_DER_ASN1_DN (which you can
> actually set manually too creating mismatch with certificate) so these
> two lines are important to print, both.
>
> Here was no line to remove or we loose critical information.
>
There's information scattered across several log lines, when one is
sufficient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210411/c61f50c5/attachment.html>
More information about the Swan-dev
mailing list