Since
6a8a44be88b0 the certificate received by the client is verified
first, before checking the cached certificates for any with matching
identities. So we usually don't have to attempt to verify the signature
with wrong certificates first and can avoid this message.
moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO
moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES