[Swan-dev] authenticated by RSA public key 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org' using SHA2_512
Andrew Cagney
andrew.cagney at gmail.com
Sat Feb 27 18:46:36 UTC 2021
- Previous message (by thread): [Swan-dev] tainted^D^D^D^D sensitive addresses
- Next message (by thread): [Swan-dev] authenticated by RSA public key 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org' using SHA2_512
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
I'm getting ready to push a change in how authentication is logged.
The long term objective is to get the authentication down to a single
line (perhaps per-auth method allowed?).
Today I'm looking at pubkey auth:
Success: authenticated by <PKI> public key '<ID>' issued by CA '<CA>'
using <hash>
-003 "westnet-eastnet" #1: authenticated using RSA with SHA-1
+003 "westnet-eastnet" #1: authenticated by RSA public key '@east'
issued by CA '%any' using SHA-1
-003 "westnet-eastnet-ikev2" #1: authenticated using RSA with SHA2_512
+003 "westnet-eastnet-ikev2" #1: authenticated by RSA public key
'192.1.2.23' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan,
OU=Test Department, CN=Libreswan test CA for mainca,
E=testing at libreswan.org' using SHA2_512
-003 "road-east-x509-ipv4"[1] 192.1.2.23 #1: authenticated using RSA
with SHA2_512
+003 "road-east-x509-ipv4"[1] 192.1.2.23 #1: authenticated by RSA
public key 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=east.testing.libreswan.org,
E=user-east at testing.libreswan.org' issued by CA 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for
mainca, E=testing at libreswan.org' using SHA2_512
-> I'll probably reword it so that <hash> comes earlier in the
possibly very long log line
-> it should probably include "local" or "remote" to indicate where
the cert came from
-> is anything missing?
Fail: <PKI> signature checkfor '<ID>' failed tried [remote certs:
*<KEYID>(<reason>) ...] [preloaded certs: *<KEYID>(<reason>) ...]
-003 "ikev1-aggr-failtest" #3: an RSA Sig check failed 'SIG length
does not match public key length' with *000000000 [preloaded keys]
-003 "ikev1-aggr-failtest" #3: RSA Signature check (on @east-v1)
failed (wrong key?); tried *000000000
+003 "ikev1-aggr-failtest" #3: RSA signature check for '@east-v1'
failed, tried preloaded certs: *000000000(length)
-> I'm not sure if "(length)" is helpful or not, it could be made longer?
-> I'm going to rename "preloaded" to "local"
- Previous message (by thread): [Swan-dev] tainted^D^D^D^D sensitive addresses
- Next message (by thread): [Swan-dev] authenticated by RSA public key 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org' using SHA2_512
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Swan-dev
mailing list