On Sun, 11 Apr 2021 at 12:42, Paul Wouters <[email protected]> wrote: > On Apr 11, 2021, at 10:31, Andrew Cagney <[email protected]> wrote: > > > > > No. those three are not same. First one is certificate subject of >> actual certificate. Second one is ID_DER_ASN1_DN (which you can >> actually set manually too creating mismatch with certificate) so these >> two lines are important to print, both. >> >> Here was no line to remove or we loose critical information. >> > > There's information scattered across several log lines, when one is > sufficient. > > > The problem is the way the code works and how callers can come from > different paths abs how there can be a connection switching event in > between. >
If there's a connection switch, I think the best the current code could approach is something like: <wrong-connection> authentication failed: lame excuse <wrong-connection> switching to <right-connection> <right-connection> authenticated with .... but even this I'm not sure about - I suspect the connection switching code may need to try authenticating all candidates :-( > So I agree with both of you, but the real fix is rewrite how we handle > IKE_AUTH entirely. > > Paul >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
