On Fri, 9 Apr 2021 19:58:06 -0400 Andrew Cagney <[email protected]> wrote:
> On Fri, 9 Apr 2021 at 17:46, Andrew Cagney <[email protected]> > wrote: > BTW, I've come across this: > > -002 "nss-cert-incorrect" #3: certificate verified OK: > [email protected],CN=east.testing.libreswan.org,OU=Test > Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA > 003 "nss-cert-incorrect" #3: ID_DER_ASN1_DN > '[email protected],CN=east.testing.libreswan.org,OU=Test > Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match > expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test > Department, CN=road.testing.libreswan.org, > [email protected]' > 002 "nss-cert-incorrect" #3: Peer CERT payload SubjectAltName does > not match peer ID for this connection > > 002 "nss-cert-incorrect" #3: X509: connection failed due to unmatched > IKE ID in certificate SAN > > That's three log lines effectively saying the same thing, yet not one > spells out that 'authentication failed' -/ I'll put that down as next > for my hit list. No. those three are not same. First one is certificate subject of actual certificate. Second one is ID_DER_ASN1_DN (which you can actually set manually too creating mismatch with certificate) so these two lines are important to print, both. Here was no line to remove or we loose critical information. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
