[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

Tony Whyman tony.whyman at mccallumwhyman.com
Tue Sep 8 16:38:20 UTC 2015


That set me on the right track. I was using a simple test CA certificate 
which has been around for a long time with a 1024 bit signing key. 
Replacing this with a new test CA with a 4096 bit key solved the 
authentication problem. Is withdrawal of support for 1024 bit keys 
declared anywhere?

There is definitely a bug in the ipsec (import) script when the CA name 
has spaces. I have crudely fixed it by amending line 80 to

certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' | awk 
'{$NF=""; print $0}' | awk '{gsub(/^ +| +$/,"")}'| grep -v "^$" | while 
read -r cert; do

There may be a better way but this seems to remove the trailing white 
space that was causing the problem for me.

Tony Whyman

On 08/09/15 16:06, Paul Wouters wrote:
> Ok, then your issue has not been the update of the nss database. Your
> problem then lies in the fact that we now use NSS for the certificate
> validation instead of the very old freeswan based x509*.c code. 

More information about the Swan mailing list