[Swan-dev] authenticated by RSA public key 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org' using SHA2_512

[Paul Wouters]

On Sat, 27 Feb 2021, Andrew Cagney wrote:

> I'm getting ready to push a change in how authentication is logged.
> The long term objective is to get the authentication down to a single
> line (perhaps per-auth method allowed?).

Sounds good.

> -> I'll probably reword it so that <hash> comes earlier in the
> possibly very long log line

ok.

> -> it should probably include "local" or "remote" to indicate where
> the cert came from

The term local/remote might not make it clear whether it is identifying
the local/remote or whether the cert is configured locally or received
from the remote ? Maybe use "locally configured cerficiate" and "received
remote certificate" ? But that is using a lot of characters. Maybe
"received peer certificate"

> -> is anything missing?

Nothing comes to mind.

> +003 "ikev1-aggr-failtest" #3: RSA signature check for '@east-v1'
> failed, tried preloaded certs: *000000000(length)
>
> -> I'm not sure if "(length)" is helpful or not, it could be made longer?

I don't think so.

> -> I'm going to rename "preloaded" to "local"

Again that might be confusing people to think you tried to verify the
peer using a certificate for the local endpoint, versus verifying the
peer using a locally stored certificate". Maybe "preconfigured", or
"locally stored" ?

Paul