[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

Tony Whyman tony.whyman at mccallumwhyman.com
Tue Sep 8 09:30:09 UTC 2015


I ask the  question because what did work with earlier versions has 
stopped working. i.e. bothj cert import and SA authentication fail.

For example, installing a clean version of libreswan 1.15 using a .deb 
file on Ubuntu 14.04 64-bit:

  Run ipsec import to set up the certs from a .p12 file

This fails with

ipsec import rebecca.mwassocs.co.uk.p12
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
certutil: Could not find cert: MWA Root CA
: PR_FILE_NOT_FOUND_ERROR: File not found


If I then explicitly list the NSS store, I get

certutil -L -d sql:/etc/ipsec.d

Certificate Nickname                                         Trust 
Attributes
SSL,S/MIME,JAR/XPI

rebecca.mwassocs.co.uk                                       u,u,u
MWA Root CA                                                  ,,

I can then do

certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is invalid: Peer's certificate issuer has been 
marked as not trusted by the user.
rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is valid

So the NSS store seems happy.

However, when I try to start an SA with "rebecca" as the responder, the 
initiator fails with INVALID_ID_INFORMATION. Running "rebecca" under 
debug all gets:

Sep  8 10:17:09 rebecca pluto[12733]: | refine_host_connection: checking 
mwa[1] 172.16.1.16 against mwa[1] 172.16.1.16, best=(none) with 
match=0(id=1/ca=0/reqca=1)
Sep  8 10:17:09 rebecca pluto[12733]: | find_host_pair: comparing 
172.16.1.62:500 to 0.0.0.0:500
Sep  8 10:17:09 rebecca pluto[12733]: | find_host_pair_conn 
(refine_host_connection): 172.16.1.62:500 %any:500 -> hp:mwa
Sep  8 10:17:09 rebecca pluto[12733]: |    match_id a=C=GB, ST=blah, 
L=blah, O=MWA, OU=Workstation, CN=zeus.mwassocs.co.uk
Sep  8 10:17:09 rebecca pluto[12733]: |             b=C=GB, ST=blah, 
L=blah, O=MWA, OU=Workstation, CN=zeus.mwassocs.co.uk
Sep  8 10:17:09 rebecca pluto[12733]: |    results  matched
Sep  8 10:17:09 rebecca pluto[12733]: |   trusted_ca_nss called with 
a=(empty) b=C=GB, ST=blah, L=blah, O=MWA, OU=Certification Services 
Division, CN=MWA Root CA
Sep  8 10:17:09 rebecca pluto[12733]: |   trusted_ca_nss called with 
a=C=GB, ST=blah, L=blah, O=MWA, OU=Certification Services Division, 
CN=MWA Root CA b=C=GB, ST=blah, L=blah, O=MWA, OU=Certification Services 
Division, CN=MWA Root CA
Sep  8 10:17:09 rebecca pluto[12733]: message repeated 3 times: [ |   
trusted_ca_nss called with a=C=GB, ST=blah, L=blah, O=MWA, 
OU=Certification Services Division, CN=MWA Root CA b=C=GB, ST=blah, 
L=blah, O=MWA, OU=Certification Services Division, CN=MWA Root CA]
Sep  8 10:17:09 rebecca pluto[12733]: | refine_host_connection: checking 
mwa[1] 172.16.1.16 against mwa, best=(none) with match=0(id=1/ca=0/reqca=1)
Sep  8 10:17:09 rebecca pluto[12733]: "mwa"[1] 172.16.1.16 #3: 
EXPECTATION FAILED at /tmp/libreswan-3.15/programs/pluto/ikev1.c:2843: r 
!= NULL


This looks to me like it's failing when it comes to validating the 
certificate CA signature.

"rebecca" is a test system that I use to test the VPN and the same 
setup, certificates and all worked fine with 1.13, so this looks like a 
regression.

Comparing the 1.13 and 1.15 versions of ipsec import, reveals a lot of 
changes...

Tony Whyman
MWA


More information about the Swan mailing list