[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames
Tony Whyman
tony.whyman at mccallumwhyman.com
Tue Sep 8 14:32:20 UTC 2015
Paul,
One more point, I modified /usr/sbin/ipsec: set_db_trust to see what was
happening i.e.
set_db_trusts() {
# has to handle a NSS nick with spaces
certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME'
| awk '{$NF=""; print $0}' | grep -v "^$" | while read -r cert; do
echo "Trying '$cert'"
if certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -q
'Is a CA' &&
[ $(certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -i
-A3 'ssl flags' | grep -i 'trusted' | wc -l) -ne 2 ]; then
echo "correcting trust bits for ${cert}"
certutil -M -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" -t 'CT,,'
fi
done
}
note the echo statement.
The result of running the script is now:
pk12util: PKCS12 IMPORT SUCCESSFUL
Trying 'rebecca.mwassocs.co.uk'
Trying 'MWA Root CA '
certutil: Could not find cert: MWA Root CA
: PR_FILE_NOT_FOUND_ERROR: File not found
Note the space at the end of the "cert" variable. This is why the script
fails.
Tony Whyman
MWA
On 08/09/15 15:21, Tony Whyman wrote:
> Paul,
>
> Thanks for getting back. If you look down my original EMail, I have
> already tried:
>
> certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
> certutil: certificate is invalid: Peer's certificate issuer has been
> marked as not trusted by the user.
> rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
> rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
> certutil: certificate is valid
>
> but with no luck. I noted that your suggestion had two "," in it, so
> tried that as well, just in case, but still the same result.
>
> There are probably two problems here. The first is with the import
> script. I had a good look at the updated script, hence the above. It
> looks like it is not parsing the cert nickname correctly when there is
> a space in it - hence the error message - but this is recoverable by
> explicit use of certutil. The bigger problem is why does the
> authentication still fail. This worked before with 1.13 and works with
> Openswan using the same certificates.
>
> I have also purged all old copies of libreswan and openswan from the
> test system to try and get it to a well known state, in case that was
> the problem.
>
> I am thus guessing that because of the parse problem in the import
> script, no one has actually tested 1.15 with a CA having spaces in its
> nickname - hence this is why I think that this is where the problem lies.
>
> Tony Whyman
> MWA
>
>
> On 08/09/15 13:33, Paul Wouters wrote:
>> On Tue, 8 Sep 2015, Tony Whyman wrote:
>>
>>> Subject: [Swan] Does libreswan 1.15 have a problem with spaces in CA
>>> common
>>> names/nicknames
>>
>>> certutil -L -d sql:/etc/ipsec.d
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> rebecca.mwassocs.co.uk u,u,u
>>> MWA Root CA ,,
>>
>> You are missing the trust bits on your CA certificate. Upgrading should
>> have caused you to run ipsec --checknss which should have added the
>> trust bits for you. I wonder what that did not happen.
>>
>> try:
>>
>> certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t 'CT,,'
>>
>> Paul
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list