[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

Tony Whyman tony.whyman at mccallumwhyman.com
Tue Sep 8 14:21:37 UTC 2015


Paul,

Thanks for getting back. If you look down my original EMail, I have 
already tried:

certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is invalid: Peer's certificate issuer has been 
marked as not trusted by the user.
rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is valid

but with no luck. I noted that your suggestion had two "," in it, so 
tried that as well, just in case, but still the same result.

There are probably two problems here. The first is with the import 
script. I had a good look at the updated script, hence the above. It 
looks like it is not parsing the cert nickname correctly when there is a 
space in it - hence the error message - but this is recoverable by 
explicit use of certutil. The bigger problem is why does the 
authentication still fail. This worked before with 1.13 and works with 
Openswan using the same certificates.

I have also purged all old copies of libreswan and openswan from the 
test system to try and get it to a well known state, in case that was 
the problem.

I am thus guessing that because of the parse problem in the import 
script, no one has actually tested 1.15 with a CA having spaces in its 
nickname - hence this is why I think that this is where the problem lies.

Tony Whyman
MWA


On 08/09/15 13:33, Paul Wouters wrote:
> On Tue, 8 Sep 2015, Tony Whyman wrote:
>
>> Subject: [Swan] Does libreswan 1.15 have a problem with spaces in CA 
>> common
>>     names/nicknames
>
>> certutil -L -d sql:/etc/ipsec.d
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> rebecca.mwassocs.co.uk u,u,u
>> MWA Root CA                                                  ,,
>
> You are missing the trust bits on your CA certificate. Upgrading should
> have caused you to run ipsec --checknss which should have added the
> trust bits for you. I wonder what that did not happen.
>
> try:
>
> certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t 'CT,,'
>
> Paul



More information about the Swan mailing list