[Swan] ipsec newhostkey / showhostkey does not work well in 3.17

Noam Singer noam at fortycloud.com
Tue May 3 11:23:39 UTC 2016 

Hello group,

I just installed LibreSwan 3.17 on a fresh machine

I tried creating a public-key using the following basic script

    echo "" > /tmp/nsspassword
    rm -f /etc/ipsec.secrets
    certutil -N -d /etc/ipsec.d -f /tmp/nsspassword
    ipsec newhostkey --output /etc/ipsec.secrets --configdir /etc/ipsec.d
--seeddev /dev/urandom --bits 2192

However, for some reason, the generated /etc/ipsec.secrets does not contain
the Modules lines.

Is this a new bug in 3.17 or am I doing something wrong?

See below for details

Thanks in advance




root at noamlon19:~# ipsec --version
Linux Libreswan 3.17 (netkey) on 3.13.0-85-generic

root at noam19:~# cat gen.sh
echo "" > /tmp/nsspassword
rm -f /etc/ipsec.secrets
certutil -N -d /etc/ipsec.d -f /tmp/nsspassword
ipsec newhostkey --output /etc/ipsec.secrets --configdir /etc/ipsec.d
--seeddev /dev/urandom --bits 2192
ipsec showhostkey --left
cat /etc/ipsec.secrets

root at noam19:~# bash -x gen.sh
+ echo ''
+ rm -f /etc/ipsec.secrets
+ certutil -N -d /etc/ipsec.d -f /tmp/nsspassword
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Password changed successfully.
+ ipsec newhostkey --output /etc/ipsec.secrets --configdir /etc/ipsec.d
--seeddev /dev/urandom --bits 2192
Generated RSA key pair was stored in the NSS database
+ ipsec showhostkey --left
ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey "/etc/ipsec.secrets" line 6: Modulus keyword not found
where expected in RSA key
No keys found
+ cat /etc/ipsec.secrets
: RSA   {
        # RSA 2192 bits   noam19   Tue May  3 10:55:45 2016
        # for signatures only, UNSAFE FOR ENCRYPTION

#pubkey=0sAQPbG9AuTgIvXlD9b0cBHhMJuZbaddPArzNJQ0lEt6uulxsOtbGwAXsmJHRlVyjcCpVnJazjEFswblXqJhkRHOc9Bhaer9Quy82Eou8bT+WxwrYf3Ya7IWdxsbplVBMdi/DPC0KfoRU1rr4v0SBubCfxSi8IJ4GYn8Z1sQoNcUKBfZizRkvFqZHMX/WexpP3VO1kbZ+hbnpJnLmevji0XY9IADhQkFLQ9SRxGxgsj+GDTDpynAP5P/da96yUnQRDFgowM8tKR6zqcOqPuGCzWnjxDv35ZWxLAxl3hRKucsOms4QGrQ2b0WQTLjKWGXPxv1s7pq054btWLEdCgMkMUisRcxaet2fBFs2HIwwpk8Eh3Hyp
        #CKAIDNSS: 0xd7e0e555af003240cb089b8f5f52de777557f4cb
        }
# do not change the indenting of that "}"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160503/e6245aa3/attachment.html>

More information about the Swan mailing list