[Swan-dev] ikev2: drop 'certificate verified OK' message
Andrew Cagney
andrew.cagney at gmail.com
Mon Apr 12 21:55:11 UTC 2021
On Sun, 11 Apr 2021 at 12:42, Paul Wouters <paul at nohats.ca> wrote:
> On Apr 11, 2021, at 10:31, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
>
>
>
> No. those three are not same. First one is certificate subject of
>> actual certificate. Second one is ID_DER_ASN1_DN (which you can
>> actually set manually too creating mismatch with certificate) so these
>> two lines are important to print, both.
>>
>> Here was no line to remove or we loose critical information.
>>
>
> There's information scattered across several log lines, when one is
> sufficient.
>
>
> The problem is the way the code works and how callers can come from
> different paths abs how there can be a connection switching event in
> between.
>
If there's a connection switch, I think the best the current code could
approach is something like:
<wrong-connection> authentication failed: lame excuse
<wrong-connection> switching to <right-connection>
<right-connection> authenticated with ....
but even this I'm not sure about - I suspect the connection switching code
may need to try authenticating all candidates :-(
> So I agree with both of you, but the real fix is rewrite how we handle
> IKE_AUTH entirely.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210412/eb17d381/attachment.html>
More information about the Swan-dev
mailing list