<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 11 Apr 2021 at 04:26, Tuomo Soini <<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 9 Apr 2021 19:58:06 -0400<br>
Andrew Cagney <<a href="mailto:andrew.cagney@gmail.com" target="_blank">andrew.cagney@gmail.com</a>> wrote:<br>
<br>
> On Fri, 9 Apr 2021 at 17:46, Andrew Cagney <<a href="mailto:andrew.cagney@gmail.com" target="_blank">andrew.cagney@gmail.com</a>><br>
> wrote:<br>
> BTW, I've come across this:<br>
> <br>
> -002 "nss-cert-incorrect" #3: certificate verified OK:<br>
> E=<a href="mailto:user-east@testing.libreswan.org" target="_blank">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org" rel="noreferrer" target="_blank">east.testing.libreswan.org</a>,OU=Test<br>
> Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
>  003 "nss-cert-incorrect" #3: ID_DER_ASN1_DN<br>
> 'E=<a href="mailto:user-east@testing.libreswan.org" target="_blank">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org" rel="noreferrer" target="_blank">east.testing.libreswan.org</a>,OU=Test<br>
> Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match<br>
> expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test<br>
> Department, CN=<a href="http://road.testing.libreswan.org" rel="noreferrer" target="_blank">road.testing.libreswan.org</a>,<br>
> E=<a href="mailto:user-road@testing.libreswan.org" target="_blank">user-road@testing.libreswan.org</a>'<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
>  002 "nss-cert-incorrect" #3: Peer CERT payload SubjectAltName does<br>
> not match peer ID for this connection</blockquote><div><br></div><div>These need to be merged. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> 002 "nss-cert-incorrect" #3: X509: connection failed due to unmatched<br>
> IKE ID in certificate SAN<br></blockquote><div><br></div><div>And this dropped.  It's just restating the previous line.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> <br>
> That's three log lines effectively saying the same thing, yet not one<br>
> spells out that 'authentication failed' -/ I'll put that down as next<br>
> for my hit list.<br>
<br>
No. those three are not same. First one is certificate subject of<br>
actual certificate. Second one is ID_DER_ASN1_DN (which you can<br>
actually set manually too creating mismatch with certificate) so these<br>
two lines are important to print, both.<br>
<br>
Here was no line to remove or we loose critical information.<br></blockquote><div><br></div><div>There's information scattered across several log lines, when one is sufficient. </div><div><br></div></div></div>