2 files changed, 12 insertions, 12 deletions

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 01adc6c94..1bba3b288 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -130,19 +130,19 @@ static status_t process_server_hello(private_tls_peer_t *this,
 
 	memcpy(this->server_random, random.ptr, sizeof(this->server_random));
 
-	DBG1(DBG_IKE, "received TLS version: %N", tls_version_names, version);
 	if (version < this->tls->get_version(this->tls))
 	{
 		this->tls->set_version(this->tls, version);
 	}
-
 	suite = cipher;
-	DBG1(DBG_IKE, "received TLS cipher suite: %N", tls_cipher_suite_names, suite);
 	if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1))
 	{
-		DBG1(DBG_IKE, "received TLS cipher suite inacceptable");
+		DBG1(DBG_IKE, "received TLS cipher suite %N inacceptable",
+			 tls_cipher_suite_names, suite);
 		return FAILED;
 	}
+	DBG1(DBG_IKE, "negotiated TLS version %N with suite %N",
+		 tls_version_names, version, tls_cipher_suite_names, suite);
 	this->state = STATE_HELLO_RECEIVED;
 	return NEED_MORE;
 }
@@ -245,12 +245,12 @@ static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader)
 									  CERT_X509, KEY_ANY, id, TRUE);
 		if (cert)
 		{
-			DBG1(DBG_IKE, "received cert request for '%Y", id);
+			DBG1(DBG_IKE, "received TLS cert request for '%Y", id);
 			this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
 		}
 		else
 		{
-			DBG1(DBG_IKE, "received cert request for unknown CA '%Y'", id);
+			DBG1(DBG_IKE, "received TLS cert request for unknown CA '%Y'", id);
 		}
 		id->destroy(id);
 	}
@@ -375,7 +375,6 @@ static status_t send_client_hello(private_tls_peer_t *this,
 
 	/* TLS version */
 	version = this->tls->get_version(this->tls);
-	DBG1(DBG_IKE, "sending TLS version: %N", tls_version_names, version);
 	writer->write_uint16(writer, version);
 	writer->write_data(writer, chunk_from_thing(this->client_random));
 
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 8ff306b24..763afc99d 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -137,7 +137,6 @@ static status_t process_client_hello(private_tls_server_t *this,
 
 	memcpy(this->client_random, random.ptr, sizeof(this->client_random));
 
-	DBG1(DBG_IKE, "received TLS version: %N", tls_version_names, version);
 	if (version < this->tls->get_version(this->tls))
 	{
 		this->tls->set_version(this->tls, version);
@@ -154,9 +153,11 @@ static status_t process_client_hello(private_tls_server_t *this,
 	this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
 	if (!this->suite)
 	{
-		DBG1(DBG_IKE, "received cipher suite inacceptable");
+		DBG1(DBG_IKE, "received cipher suites inacceptable");
 		return FAILED;
 	}
+	DBG1(DBG_IKE, "negotiated TLS version %N with suite %N",
+		 tls_version_names, version, tls_cipher_suite_names, this->suite);
 	this->state = STATE_HELLO_RECEIVED;
 	return NEED_MORE;
 }
@@ -402,7 +403,6 @@ static status_t send_server_hello(private_tls_server_t *this,
 
 	/* TLS version */
 	version = this->tls->get_version(this->tls);
-	DBG1(DBG_IKE, "sending TLS version: %N", tls_version_names, version);
 	writer->write_uint16(writer, version);
 	writer->write_data(writer, chunk_from_thing(this->server_random));
 
@@ -410,8 +410,8 @@ static status_t send_server_hello(private_tls_server_t *this,
 	writer->write_data8(writer, chunk_empty);
 
 	/* add selected TLS cipher suite */
-	DBG1(DBG_IKE, "sending TLS cipher suite: %N", tls_cipher_suite_names,
-												  this->suite);
+	DBG2(DBG_IKE, "sending TLS cipher suite: %N",
+		 tls_cipher_suite_names, this->suite);
 	writer->write_uint16(writer, this->suite);
 
 	/* NULL compression only */
@@ -510,6 +510,7 @@ static status_t send_certificate_request(private_tls_server_t *this,
 		if (x509->get_flags(x509) & X509_CA)
 		{
 			id = cert->get_subject(cert);
+			DBG1(DBG_IKE, "sending TLS cert request for '%Y'", id);
 			authorities->write_data16(authorities, id->get_encoding(id));
 		}
 	}