[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

Paul Wouters paul at nohats.ca
Tue Sep 8 19:44:22 UTC 2015

On Tue, 8 Sep 2015, Tony Whyman wrote:

> That set me on the right track. I was using a simple test CA certificate 
> which has been around for a long time with a 1024 bit signing key. Replacing 
> this with a new test CA with a 4096 bit key solved the authentication 
> problem. Is withdrawal of support for 1024 bit keys declared anywhere?

That's odd, because we test with a CA of 1024 bit and most client certs
of 1024 except "bigkey" which is 2048 and "key4096". And those tests
pass for us. So I am not convinced it is the keysize, although it is
possible that the version of nss matters for this. Our tests used

> There is definitely a bug in the ipsec (import) script when the CA name has 
> spaces. I have crudely fixed it by amending line 80 to
> certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' | awk 
> '{$NF=""; print $0}' | awk '{gsub(/^ +| +$/,"")}'| grep -v "^$" | while read 
> -r cert; do
> There may be a better way but this seems to remove the trailing white space 
> that was causing the problem for me.

Thanks, we will fix the trailing space issue for the next release.


More information about the Swan mailing list