[Swan-dev] Certificate based authentication failures with libreswan
Paul Wouters
paul at nohats.ca
Mon Jan 8 22:36:35 EET 2024
This likely depends on the crypto policies set.
And yes 1024 is probably no longer allowed.
You can try: update-crypto-policies —set LEGACY
but better to generate new stronger keys.
Paul
Sent using a virtual keyboard on a phone
> On Jan 8, 2024, at 12:38, Praveen Chavan <prawin219 at gmail.com> wrote:
>
>
> Hi,
>
> I am using Oracle Linux 9 based libreswan packages along with nss-tools for certificate based authentication for IPsec.
>
> Has there been a change in libreswan or nss-tools ( that you might be aware of ) to restrict RSA key length 1024?
>
> I noticed this error with RSA key size 1024.
> NSS: RSA DSS sign function failed: SEC_ERROR_OUTPUT_LEN: security library: output length error.
>
> libreswan-4.6-3.0.1.el9_1.1.x86_64.rpm, nss-tools-3.71.0-7.el9.x86_64.rpm: RSA key 1024 works
> libreswan-4.12-1.0.1.el9.x86_64.rpm, nss-tools-3.71.0-7.el9.x86_64.rpm: RSA key 1024 - Failed with above shown NSS error
>
> Any insights on this error will be helpful!
>
> Thanks,
> Praveen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20240108/4d2db349/attachment.htm>
More information about the Swan-dev
mailing list