On Fri, 9 Apr 2021 at 17:46, Andrew Cagney <[email protected]> wrote:
> > > On Fri, 9 Apr 2021 at 16:39, Paul Wouters <[email protected]> wrote: > >> >> >> > New commits: >> > commit 93cd3bfde96eb5539e6ec06c85eefbf520a19aa4 >> > Merge: aa06e23 8ad8bce >> > Author: Andrew Cagney <[email protected]> >> > Date: Fri Apr 9 16:10:20 2021 -0400 >> > >> > ikev2: drop 'certificate verified OK' message >> > >> > covered by the authenticated message >> >> But is it covered when the authentication fails? Eg when the certificate >> is valid and authenticated but the IKE peer ID mismatches? >> >> > Grepping for 'authentication failed: ' shows: > > authentication failed: using RSA with SHA2_512 for 'C=CA, ST=Ontario, > L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, > [email protected]' tried preloaded: *AwEAAbyhB > > which is close. If the peer's cert validates, matches the ID, but doesn't > work, it should emit '... tried peer: *...'' but I couldn't find a test > proving this. > > Is that the case you're thinking of? > BTW, I've come across this: -002 "nss-cert-incorrect" #3: certificate verified OK: [email protected],CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA 003 "nss-cert-incorrect" #3: ID_DER_ASN1_DN '[email protected],CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, [email protected]' 002 "nss-cert-incorrect" #3: Peer CERT payload SubjectAltName does not match peer ID for this connection 002 "nss-cert-incorrect" #3: X509: connection failed due to unmatched IKE ID in certificate SAN That's three log lines effectively saying the same thing, yet not one spells out that 'authentication failed' -/ I'll put that down as next for my hit list. > > > > Paul >> _______________________________________________ >> Swan-dev mailing list >> [email protected] >> https://lists.libreswan.org/mailman/listinfo/swan-dev >> >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
