[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames
Paul Wouters
paul at nohats.ca
Tue Sep 8 19:44:22 UTC 2015
On Tue, 8 Sep 2015, Tony Whyman wrote:
> That set me on the right track. I was using a simple test CA certificate
> which has been around for a long time with a 1024 bit signing key. Replacing
> this with a new test CA with a 4096 bit key solved the authentication
> problem. Is withdrawal of support for 1024 bit keys declared anywhere?
That's odd, because we test with a CA of 1024 bit and most client certs
of 1024 except "bigkey" which is 2048 and "key4096". And those tests
pass for us. So I am not convinced it is the keysize, although it is
possible that the version of nss matters for this. Our tests used
nss-3.18.0-1.fc21.
> There is definitely a bug in the ipsec (import) script when the CA name has
> spaces. I have crudely fixed it by amending line 80 to
>
> certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' | awk
> '{$NF=""; print $0}' | awk '{gsub(/^ +| +$/,"")}'| grep -v "^$" | while read
> -r cert; do
>
> There may be a better way but this seems to remove the trailing white space
> that was causing the problem for me.
Thanks, we will fix the trailing space issue for the next release.
Paul
More information about the Swan
mailing list