[Swan] Pluto crashes in FIPS mode in Centos7.4
Tuomo Soini
tis at foobar.fi
Mon Jul 9 12:32:20 UTC 2018
On Mon, 9 Jul 2018 09:12:46 +0000
"Veetil, Vyshnav" <Vyshnav.Veetil at harman.com> wrote:
> Hi,
> In Centos 7.4, Pluto crashes in FIPS mode :
> Because it expects the password in below format
> "NSS FIPS 140-2 Certificate DB:nsspassword"
> But it is currently the nsspassword is " NSS Certificate
> DB:nsspassword" in the nsspassword files:
> 1./etc/ipsec.d/nsspassword
> 2:we use our custom nss db location ,in that file also its same.
> when we change this nsspassword file to "NSS FIPS 140-2 Certificate
> DB:nsspassword" pluto comes up fine. But still the NSS authentication
> is failing with the below error in logs: Jun 27 12:36:11:
> authentication of "NSS FIPS 140-2 Certificate DB" failed Jun 27
> 12:36:11: FATAL: NSS initialization failure
This is not at all a crash. Pluto just exists because it can't open NSS
detabase because of partial configuration.
In fips mode "NSS Certificate DB" is not used. Instead
"NSS FIPS 140-2 Certificate DB" is used - you need to have correct
password set in nsspassword file. You can for example have:
--- 8< ---
NSS Certificate DB:mypassphrase
NSS FIPS 140-2 Certificate DB: mypassphrase
--- >8 ---
First one is being used in non-fips mode, later line is used in fips
mode.
ps. Please, don't cross post to both swan and swan-dev mailinglists.
For configuration issues, use swan at lists.libreswan.org.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list