<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 9 Apr 2021 at 17:46, Andrew Cagney <<a href="mailto:andrew.cagney@gmail.com">andrew.cagney@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><img src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 9 Apr 2021 at 16:39, Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
> New commits:<br>
> commit 93cd3bfde96eb5539e6ec06c85eefbf520a19aa4<br>
> Merge: aa06e23 8ad8bce<br>
> Author: Andrew Cagney <<a href="mailto:cagney@gnu.org" target="_blank">cagney@gnu.org</a>><br>
> Date: Fri Apr 9 16:10:20 2021 -0400<br>
><br>
> ikev2: drop 'certificate verified OK' message<br>
><br>
> covered by the authenticated message<br>
<br>
But is it covered when the authentication fails? Eg when the certificate<br>
is valid and authenticated but the IKE peer ID mismatches?<br>
<br></blockquote><div><br></div><div>Grepping for 'authentication failed: ' shows:</div><div><br></div><div>authentication failed: using RSA with SHA2_512 for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://west.testing.libreswan.org" target="_blank">west.testing.libreswan.org</a>, E=<a href="mailto:user-west@testing.libreswan.org" target="_blank">user-west@testing.libreswan.org</a>' tried preloaded: *AwEAAbyhB </div><div><br></div><div>which is close. If the peer's cert validates, matches the ID, but doesn't work, it should emit '... tried peer: *...'' but I couldn't find a test proving this.</div><div><br></div><div>Is that the case you're thinking of?</div></div></div></blockquote><div><br></div><div>BTW, I've come across this:</div><pre style="color:rgb(0,0,0);white-space:pre-wrap">-002 "nss-cert-incorrect" #3: certificate verified OK: E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
003 "nss-cert-incorrect" #3: ID_DER_ASN1_DN 'E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://road.testing.libreswan.org">road.testing.libreswan.org</a>, E=<a href="mailto:user-road@testing.libreswan.org">user-road@testing.libreswan.org</a>'
002 "nss-cert-incorrect" #3: Peer CERT payload SubjectAltName does not match peer ID for this connection </pre><div><span style="color:rgb(0,0,0);white-space:pre-wrap"> 002 "nss-cert-incorrect" #3: X509: connection failed due to unmatched IKE ID in certificate SAN</span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br></span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">That's three log lines effectively saying the same thing, yet not one spells out that 'authentication failed' -/ </span>I'll put that down as next for my hit list.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Paul<br>
_______________________________________________<br>
Swan-dev mailing list<br>
<a href="mailto:Swan-dev@lists.libreswan.org" target="_blank">Swan-dev@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan-dev" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan-dev</a><br>
</blockquote></div></div>
</blockquote></div></div>