<div dir="ltr"><div dir="ltr"><img class="gmail-ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 9 Apr 2021 at 16:39, Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
> New commits:<br>
> commit 93cd3bfde96eb5539e6ec06c85eefbf520a19aa4<br>
> Merge: aa06e23 8ad8bce<br>
> Author: Andrew Cagney <<a href="mailto:cagney@gnu.org" target="_blank">cagney@gnu.org</a>><br>
> Date: Fri Apr 9 16:10:20 2021 -0400<br>
><br>
> ikev2: drop 'certificate verified OK' message<br>
><br>
> covered by the authenticated message<br>
<br>
But is it covered when the authentication fails? Eg when the certificate<br>
is valid and authenticated but the IKE peer ID mismatches?<br>
<br></blockquote><div><br></div><div>Grepping for 'authentication failed: ' shows:</div><div><br></div><div>authentication failed: using RSA with SHA2_512 for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://west.testing.libreswan.org">west.testing.libreswan.org</a>, E=<a href="mailto:user-west@testing.libreswan.org">user-west@testing.libreswan.org</a>' tried preloaded: *AwEAAbyhB </div><div><br></div><div>which is close. If the peer's cert validates, matches the ID, but doesn't work, it should emit '... tried peer: *...'' but I couldn't find a test proving this.</div><div><br></div><div>Is that the case you're thinking of?</div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Paul<br>
_______________________________________________<br>
Swan-dev mailing list<br>
<a href="mailto:Swan-dev@lists.libreswan.org" target="_blank">Swan-dev@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan-dev" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan-dev</a><br>
</blockquote></div></div>