[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

Tony Whyman tony.whyman at mccallumwhyman.com
Tue Sep 8 14:32:20 UTC 2015


Paul,

One more point, I modified /usr/sbin/ipsec: set_db_trust to see what was 
happening i.e.

set_db_trusts() {
     # has to handle a NSS nick with spaces
     certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' 
| awk '{$NF=""; print $0}' | grep -v "^$" | while read -r cert; do
echo "Trying '$cert'"
         if certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -q 
'Is a CA' &&
           [ $(certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -i 
-A3 'ssl flags' | grep -i 'trusted' | wc -l) -ne 2 ]; then
             echo "correcting trust bits for ${cert}"
             certutil -M -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" -t 'CT,,'
         fi
     done
}

note the echo statement.

The result of running the script is now:

pk12util: PKCS12 IMPORT SUCCESSFUL
Trying 'rebecca.mwassocs.co.uk'
Trying 'MWA Root CA '
certutil: Could not find cert: MWA Root CA
: PR_FILE_NOT_FOUND_ERROR: File not found

Note the space at the end of the "cert" variable. This is why the script 
fails.

Tony Whyman
MWA

On 08/09/15 15:21, Tony Whyman wrote:
> Paul,
>
> Thanks for getting back. If you look down my original EMail, I have 
> already tried:
>
> certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
> certutil: certificate is invalid: Peer's certificate issuer has been 
> marked as not trusted by the user.
> rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
> rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
> certutil: certificate is valid
>
> but with no luck. I noted that your suggestion had two "," in it, so 
> tried that as well, just in case, but still the same result.
>
> There are probably two problems here. The first is with the import 
> script. I had a good look at the updated script, hence the above. It 
> looks like it is not parsing the cert nickname correctly when there is 
> a space in it - hence the error message - but this is recoverable by 
> explicit use of certutil. The bigger problem is why does the 
> authentication still fail. This worked before with 1.13 and works with 
> Openswan using the same certificates.
>
> I have also purged all old copies of libreswan and openswan from the 
> test system to try and get it to a well known state, in case that was 
> the problem.
>
> I am thus guessing that because of the parse problem in the import 
> script, no one has actually tested 1.15 with a CA having spaces in its 
> nickname - hence this is why I think that this is where the problem lies.
>
> Tony Whyman
> MWA
>
>
> On 08/09/15 13:33, Paul Wouters wrote:
>> On Tue, 8 Sep 2015, Tony Whyman wrote:
>>
>>> Subject: [Swan] Does libreswan 1.15 have a problem with spaces in CA 
>>> common
>>>     names/nicknames
>>
>>> certutil -L -d sql:/etc/ipsec.d
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> rebecca.mwassocs.co.uk u,u,u
>>> MWA Root CA ,,
>>
>> You are missing the trust bits on your CA certificate. Upgrading should
>> have caused you to run ipsec --checknss which should have added the
>> trust bits for you. I wonder what that did not happen.
>>
>> try:
>>
>> certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t 'CT,,'
>>
>> Paul
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan



More information about the Swan mailing list