[Swan-dev] Certificate based authentication failures with libreswan
Andrew Cagney
andrew.cagney at gmail.com
Mon Jan 8 23:35:11 EET 2024
On Mon, 8 Jan 2024 at 15:56, Paul Wouters <paul at nohats.ca> wrote:
>
> This likely depends on the crypto policies set.
> And yes 1024 is probably no longer allowed.
>
> You can try: update-crypto-policies —set LEGACY
Yes.
Between 4.6 and 4.7, and as part of the digital signature work, some
of the crypto code was updated to use higher level interfaces. These
interfaces are more strict when it comes to checking against system
policy.
> but better to generate new stronger keys.
>
> Paul
>
> Sent using a virtual keyboard on a phone
>
> On Jan 8, 2024, at 12:38, Praveen Chavan <prawin219 at gmail.com> wrote:
>
>
> Hi,
>
> I am using Oracle Linux 9 based libreswan packages along with nss-tools for certificate based authentication for IPsec.
>
> Has there been a change in libreswan or nss-tools ( that you might be aware of ) to restrict RSA key length 1024?
>
> I noticed this error with RSA key size 1024.
> NSS: RSA DSS sign function failed: SEC_ERROR_OUTPUT_LEN: security library: output length error.
>
> libreswan-4.6-3.0.1.el9_1.1.x86_64.rpm, nss-tools-3.71.0-7.el9.x86_64.rpm: RSA key 1024 works
> libreswan-4.12-1.0.1.el9.x86_64.rpm, nss-tools-3.71.0-7.el9.x86_64.rpm: RSA key 1024 - Failed with above shown NSS error
>
> Any insights on this error will be helpful!
>
> Thanks,
> Praveen
>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list