[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames
Tony Whyman
tony.whyman at mccallumwhyman.com
Tue Sep 8 14:21:37 UTC 2015
Paul,
Thanks for getting back. If you look down my original EMail, I have
already tried:
certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is invalid: Peer's certificate issuer has been
marked as not trusted by the user.
rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is valid
but with no luck. I noted that your suggestion had two "," in it, so
tried that as well, just in case, but still the same result.
There are probably two problems here. The first is with the import
script. I had a good look at the updated script, hence the above. It
looks like it is not parsing the cert nickname correctly when there is a
space in it - hence the error message - but this is recoverable by
explicit use of certutil. The bigger problem is why does the
authentication still fail. This worked before with 1.13 and works with
Openswan using the same certificates.
I have also purged all old copies of libreswan and openswan from the
test system to try and get it to a well known state, in case that was
the problem.
I am thus guessing that because of the parse problem in the import
script, no one has actually tested 1.15 with a CA having spaces in its
nickname - hence this is why I think that this is where the problem lies.
Tony Whyman
MWA
On 08/09/15 13:33, Paul Wouters wrote:
> On Tue, 8 Sep 2015, Tony Whyman wrote:
>
>> Subject: [Swan] Does libreswan 1.15 have a problem with spaces in CA
>> common
>> names/nicknames
>
>> certutil -L -d sql:/etc/ipsec.d
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> rebecca.mwassocs.co.uk u,u,u
>> MWA Root CA ,,
>
> You are missing the trust bits on your CA certificate. Upgrading should
> have caused you to run ipsec --checknss which should have added the
> trust bits for you. I wonder what that did not happen.
>
> try:
>
> certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t 'CT,,'
>
> Paul
More information about the Swan
mailing list