[Swan-dev] overview of yesterday's test failures (please fix)
D. Hugh Redelmeier
hugh at mimosa.com
Tue Oct 17 18:12:15 UTC 2017
The tests were run on my machine. It gets a lot of retransmissions etc.
that count as errors, but I've ignored them.
PLEASE: everyone look at each of these to see if you are responsible
and can fix them. Most look easy.
(I hope your MUA does not make these harder to read by damaging the
formatting.)
testing/pluto/ikev2-ddns-02 failed west:output-different
script changed, reference output did not.
testing/pluto/newoe-15-portpass failed road:output-different
extra src policy
testing/pluto/newoe-18-private-clear failed road:output-different
extra src policy
testing/pluto/newoe-18-poc-blockall failed road:output-different
extra src policy
testing/pluto/newoe-18-private-clearall failed road:output-different
extra src policy
testing/pluto/newoe-19-poc-poc-clear failed road:output-different
extra src policy
testing/pluto/newoe-20-ipv6 failed east:output-different road:output-different
--- MASTER/testing/pluto/newoe-20-ipv6/road.console.txt
+++ OUTPUT/testing/pluto/newoe-20-ipv6/road.console.txt
@@ -11,8 +11,11 @@
echo "fe80::/10" >> /etc/ipsec.d/policies/clear
road #
cp /source/programs/configs/v6neighbor-hole.conf /etc/ipsec.d/
+cp: cannot stat ‘/source/programs/configs/v6neighbor-hole.conf’: No such file or directory
road #
ipsec start
+warning: could not open include filename: '/etc/ipsec.d/v6neighbor-hole.conf'
+warning: could not open include filename: '/etc/ipsec.d/v6neighbor-hole.conf'
Redirecting to: systemctl start ipsec.service
road #
# ensure for tests acquires expire before our failureshunt=2m
testing/pluto/newoe-21-liveness-clear failed east:output-different road:output-different
road's script changed but reference log did not
testing/pluto/certoe-07-nat-2-clients failed road:output-different
extra src policy
testing/pluto/rawrsaoe-asymetric-nat failed east:output-different road:output-different
some kind of real failure
testing/pluto/dnsoe-01 failed east:output-different road:output-different
some kind of real failure
testing/pluto/dnsoe-02 failed east:output-different road:output-different
some kind of real failure
testing/pluto/dpd-01 failed west:output-different
not sure.
testing/pluto/ikev2-liveness-05 failed west:output-different
script changed but not reference output
testing/pluto/delete-sa-01 failed east:output-different west:output-different
+whack error: SAwest-east unexpected argument "leftrsasigkey"
etc.
testing/pluto/nat-pluto-02-klips-klips failed road:output-different
-006 #2: "road-eastnet-nat", type=ESP, add_time=1234567890, id='@east'
+006 #2: "road-eastnet-nat", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
testing/pluto/xauth-pluto-17 failed road:output-different
Worth examination, I think.
--- MASTER/testing/pluto/xauth-pluto-17/road.console.txt
+++ OUTPUT/testing/pluto/xauth-pluto-17/road.console.txt
@@ -31,7 +31,8 @@
002 "xauth-road-eastnet-psk" #1: XAUTH: Answering XAUTH challenge with user='use2'
004 "xauth-road-eastnet-psk" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
002 "xauth-road-eastnet-psk" #1: XAUTH: Successfully Authenticated
-004 "xauth-road-eastnet-psk" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
+002 "xauth-road-eastnet-psk" #1: XAUTH completed; ModeCFG skipped as per configuration
+004 "xauth-road-eastnet-psk" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
002 "xauth-road-eastnet-psk" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
117 "xauth-road-eastnet-psk" #2: STATE_QUICK_I1: initiate
004 "xauth-road-eastnet-psk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=active username=use2}
@@ -86,6 +87,18 @@
dir out priority 2088 ptype main
tmpl src 192.1.3.209 dst 192.1.2.23
proto esp reqid REQID mode tunnel
+src ::/0 dst ::/0 proto ipv6-icmp type 135
+ dir fwd priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 135
+ dir in priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 135
+ dir out priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 136
+ dir fwd priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 136
+ dir in priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 136
+ dir out priority 1 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
testing/pluto/xauth-pluto-25-mixed-addresspool failed north:output-different road:output-different
looks bad:
ipsec whack --trafficstatus
-006 #2: "north-east", username=xnorth, type=ESP, add_time=1234567890, inBytes=0, outBytes=0
testing/pluto/xauth-pluto-25-lsw299 failed north:output-different road:output-different
looks bad:
ipsec whack --trafficstatus
-006 #2: "road-east", username=xroad, type=ESP, add_time=1234567890, inBytes=336, outBytes=336
testing/pluto/netkey-klips-pluto-03 failed west:output-different
lots of differences in xfrm policy
testing/pluto/klips-netkey-pluto-06 failed west:output-different
lots of differences in xfrm policy
testing/pluto/interop-ikev2-strongswan-13-ah-initiator failed west:output-different
--- MASTER/testing/pluto/interop-ikev2-strongswan-13-ah-initiator/west.console.txt
+++ OUTPUT/testing/pluto/interop-ikev2-strongswan-13-ah-initiator/west.console.txt
@@ -39,10 +39,9 @@
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) ]
-sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org"
authentication of 'west' (myself) with pre-shared key
establishing CHILD_SA westnet-eastnet-ikev2{1}
-generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes)
received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
testing/pluto/interop-ikev2-strongswan-17-delete-sa-responder failed west:output-different
--- MASTER/testing/pluto/interop-ikev2-strongswan-17-delete-sa-responder/west.console.txt
+++ OUTPUT/testing/pluto/interop-ikev2-strongswan-17-delete-sa-responder/west.console.txt
@@ -39,10 +39,9 @@
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) ]
-sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org"
authentication of 'west' (myself) with pre-shared key
establishing CHILD_SA westnet-eastnet-ikev2{1}
-generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes)
received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
testing/pluto/interop-ikev2-strongswan-35-ipsec-rekey failed west:output-different
--- MASTER/testing/pluto/interop-ikev2-strongswan-35-ipsec-rekey/west.console.txt
+++ OUTPUT/testing/pluto/interop-ikev2-strongswan-35-ipsec-rekey/west.console.txt
@@ -87,8 +87,10 @@
strongswan status
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.2.45[west]...192.1.2.23[east]
-westnet-eastnet-ikev2{6}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
+westnet-eastnet-ikev2{6}: DELETING, TUNNEL, reqid 1
westnet-eastnet-ikev2{6}: 192.0.1.0/24 === 192.0.2.0/24
+westnet-eastnet-ikev2{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
+westnet-eastnet-ikev2{7}: 192.0.1.0/24 === 192.0.2.0/24
west #
echo done
done
testing/pluto/interop-ikev2-strongswan-35-rekey-reauth failed east:output-different west:output-different
reqid changed
testing/pluto/interop-ikev2-strongswan-35-responder-rekey-pfs failed west:output-different
--- MASTER/testing/pluto/interop-ikev2-strongswan-35-responder-rekey-pfs/west.console.txt
+++ OUTPUT/testing/pluto/interop-ikev2-strongswan-35-responder-rekey-pfs/west.console.txt
@@ -36,10 +36,8 @@
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.2.45[west]...192.1.2.23[east]
westnet-eastnet-ikev2{1}: DELETING, TUNNEL, reqid 1
westnet-eastnet-ikev2{1}: 192.0.1.0/24 === 192.0.2.0/24
-westnet-eastnet-ikev2{2}: DELETING, TUNNEL, reqid 1
+westnet-eastnet-ikev2{2}: REKEYING, TUNNEL, reqid 1, expires in 59 minutes
westnet-eastnet-ikev2{2}: 192.0.1.0/24 === 192.0.2.0/24
-westnet-eastnet-ikev2{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
-westnet-eastnet-ikev2{3}: 192.0.1.0/24 === 192.0.2.0/24
west #
echo done
done
testing/pluto/dnssec-pluto-01 failed west:output-different
--- MASTER/testing/pluto/dnssec-pluto-01/west.console.txt
+++ OUTPUT/testing/pluto/dnssec-pluto-01/west.console.txt
@@ -39,8 +39,6 @@
ipsec auto --status | egrep "oriented|east-from-hosts"
000 "westnet-eastnet-etc-hosts": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<east-from-hosts-file>[@east]===192.0.2.0/24; unrouted; eroute owner: #0
000 "westnet-eastnet-etc-hosts": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
-000 "westnet-eastnet-etc-hosts-auto-add": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<east-from-hosts-file>[@east]===192.0.2.0/24; unrouted; eroute owner: #0
-000 "westnet-eastnet-etc-hosts-auto-add": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
west #
echo "initdone"
initdone
testing/pluto/ikev2-55-ipseckey-01 passed
testing/pluto/ikev2-55-ipseckey-02 failed road:output-different
--- MASTER/testing/pluto/ikev2-55-ipseckey-02/road.console.txt
+++ OUTPUT/testing/pluto/ikev2-55-ipseckey-02/road.console.txt
@@ -83,9 +83,9 @@
133 "road-east-2" #1: STATE_PARENT_I1: initiate
133 "road-east-2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "road-east-2" #1: suppressing retransmit because IMPAIR_RETRANSMITS is set.
-003 "road-east-2" #1: Can't find the private key from the NSS CKA_ID
-003 "road-east-2" #1: Failed to find our RSA key
-000 "road-east-2" #1: realse whack for IKE SA, but releasing whack for pending IPSEC SA
+003 "road-east-2" #1: Can't find the certificate or private key from the NSS CKA_ID
+003 "road-east-2" #1: DigSig: failed to find our RSA key
+000 "road-east-2" #1: release whack for IKE SA, but releasing whack for pending IPSEC SA
road #
ping -n -c 4 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
testing/pluto/nss-cert-crl-03-strict failed west:output-different
--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
@@ -40,6 +40,10 @@
002 "nss-cert-crl" #1: I am sending my cert
002 "nss-cert-crl" #1: I am sending a certificate request
108 "nss-cert-crl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
+003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
+003 "nss-cert-crl" #1: received and ignored informational message
+003 "nss-cert-crl" #1: discarding duplicate packet; already STATE_MAIN_I3
+010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 500ms for response
002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org'
002 "nss-cert-crl" #1: certificate verified OK: E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
004 "nss-cert-crl" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha2_256 group=MODP2048}
testing/pluto/nss-cert-nosecret failed west:output-different
--- MASTER/testing/pluto/nss-cert-nosecret/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-nosecret/west.console.txt
@@ -159,25 +159,24 @@
000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until TIMESTAMP ok
000 ID_IPV4_ADDR '192.1.2.23'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until TIMESTAMP ok
000 ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west at testing.libreswan.org'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until TIMESTAMP ok
000 ID_USER_FQDN 'user-west at testing.libreswan.org'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until TIMESTAMP ok
000 ID_FQDN '@west.testing.libreswan.org'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until TIMESTAMP ok
000 ID_USER_FQDN 'west at testing.libreswan.org'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until TIMESTAMP ok
000 ID_IPV4_ADDR '192.1.2.45'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing at libreswan.org'
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000
-000 0: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
testing/pluto/nss-cert-09-notyetvalid-initiator failed east:output-different west:output-different
--- MASTER/testing/pluto/nss-cert-09-notyetvalid-initiator/east.console.txt
+++ OUTPUT/testing/pluto/nss-cert-09-notyetvalid-initiator/east.console.txt
@@ -17,7 +17,6 @@
# will only show up on east - note "expired" is wrong and should be "not yet valid"
east #
grep "ERROR" /tmp/pluto.log
-"nss-cert" #1: ERROR: Peer's Certificate has expired.
east #
east #
../bin/check-for-core.sh
--- MASTER/testing/pluto/nss-cert-09-notyetvalid-initiator/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-09-notyetvalid-initiator/west.console.txt
@@ -1,4 +1,4 @@
-/testing/guestbin/swan-prep --x509 --x509name notyetvalid
+/testing/guestbin/swan-prep --x509
Preparing X.509 files
west #
certutil -d sql:/etc/ipsec.d -D -n east
@@ -30,12 +30,18 @@
002 "nss-cert" #1: I am sending my cert
002 "nss-cert" #1: I am sending a certificate request
108 "nss-cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3
-003 "nss-cert" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
-003 "nss-cert" #1: received and ignored informational message
-003 "nss-cert" #1: discarding duplicate packet; already STATE_MAIN_I3
-002 "nss-cert" #1: suppressing retransmit because IMPAIR_RETRANSMITS is set
-031 "nss-cert" #1: max number of retransmissions (0) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
-002 "nss-cert" #1: deleting state (STATE_MAIN_I3)
+002 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org'
+002 "nss-cert" #1: certificate verified OK: E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+004 "nss-cert" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha2_256 group=MODP2048}
+002 "nss-cert" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
+117 "nss-cert" #2: STATE_QUICK_I1: initiate
+003 "nss-cert" #2: up-client command exited with status 1
+032 "nss-cert" #2: STATE_QUICK_I1: internal error
+003 "nss-cert" #2: discarding duplicate packet; already STATE_QUICK_I1
+003 "nss-cert" #2: discarding duplicate packet; already STATE_QUICK_I1
+002 "nss-cert" #2: deleting state (STATE_QUICK_I1)
+003 "nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi at 192.1.2.23 included errno 3: No such process
+003 "nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi at 192.1.2.45 included errno 3: No such process
west #
echo done
done
@@ -43,6 +49,9 @@
# will only show up on east - note "expired" is wrong and should be "not yet valid"
west #
grep "ERROR" /tmp/pluto.log
+| complete v1 state transition with STF_INTERNAL_ERROR
+"nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi at 192.1.2.23 included errno 3: No such process
+"nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi at 192.1.2.45 included errno 3: No such process
west #
west #
../bin/check-for-core.sh
testing/pluto/nss-cert-10-notyetvalid-responder-ikev2 failed east:output-different west:output-different
--- MASTER/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/east.console.txt
+++ OUTPUT/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/east.console.txt
@@ -24,6 +24,8 @@
# only expected to show failure on west
east #
grep "ERROR" /tmp/pluto.log
+"nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi at 192.1.2.45 included errno 3: No such process
+"nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi at 192.1.2.23 included errno 3: No such process
east #
east #
../bin/check-for-core.sh
--- MASTER/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/west.console.txt
@@ -27,13 +27,6 @@
002 "nss-cert" #1: suppressing retransmit because IMPAIR_RETRANSMITS is set.
134 "nss-cert" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}
002 "nss-cert" #2: suppressing retransmit because IMPAIR_RETRANSMITS is set.
-003 "nss-cert" #2: Certificate E=testing at libreswan.org,CN=notyetvalid.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed verification
-003 "nss-cert" #2: ERROR: Peer's Certificate has expired.
-002 "nss-cert" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, E=testing at libreswan.org'
-003 "nss-cert" #2: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, E=testing at libreswan.org'
-002 "nss-cert" #2: RSA authentication failed
-224 "nss-cert" #2: STATE_PARENT_I2: v2N_AUTHENTICATION_FAILED
-003 "nss-cert" #2: EXPECTATION FAILED: st != NULL && st->st_event != NULL && st->st_event->ev_type == EVENT_v2_RETRANSMIT (in complete_v2_state_transition at /source/programs/pluto/ikev2.c:1827)
west #
echo done
done
@@ -41,7 +34,6 @@
# only expected to show failure on west
west #
grep "ERROR" /tmp/pluto.log
-"nss-cert" #2: ERROR: Peer's Certificate has expired.
west #
west #
../bin/check-for-core.sh
testing/pluto/ipsec-hostkey-ckaid-02-fips failed west:output-different
--- MASTER/testing/pluto/ipsec-hostkey-ckaid-02-fips/west.console.txt
+++ OUTPUT/testing/pluto/ipsec-hostkey-ckaid-02-fips/west.console.txt
@@ -4,14 +4,18 @@
FIPS mode enabled.
west #
ipsec newhostkey
-Generated RSA key pair with CKAID <<CKAID#1>> was stored in the NSS database
+FIPS HMAC integrity verification test failed.
west #
ipsec showhostkey --list
-< 1> RSA keyid: <<KEYID#1>> ckaid: <<CKAID#1>>
west #
ckaid=$(ipsec showhostkey --list | sed -e 's/.*ckaid: //')
west #
ipsec showhostkey --left --ckaid $ckaid
- # rsakey <<KEYID#1>>
- leftrsasigkey=<<RSASIGKEY#1>>
+PATH/libexec/ipsec/showhostkey: option '--ckaid' requires an argument
+Usage: showhostkey [ --verbose ]
+ { --version | --dump | --list | --left | --right |
+ --ipseckey [ --precedence <precedence> ]
+ [ --gateway <gateway> ] }
+ [ --rsaid <rsaid> | --ckaid <ckaid> ]
+ [ --nssdir <nssdir> ] [ --password <password> ]
More information about the Swan-dev
mailing list