[Swan] [EXTERNAL] Re: AW: Re: AW: INVALID_ID_INFORMATION
LAURIA Giuseppe
giuseppe.lauria at axa-winterthur.ch
Tue Apr 2 16:04:20 UTC 2019
Hi Paul.
Thank you very much for the help !
We finally managed to have it running.
I did not realize that the NSS database has to be 'correct'! In the past the NSS database was not; i.e. the peer public key was imported , but had the 'Trust Attribute' set to 'CT,,'. This worked in libreswan version libreswan-3.15-7.5.el6_9.x86_64.
Now with your valuable input and the good questions of a colleague, I found that it must be 'P,,' for libreswan-3.25-4.1.el7_6.x86_64 :
So I had to correct the NSS database using command certutil and -t ( trustargs ) with attribute 'P' ( Trusted peer ).
"OLD"
certutil -L -d sql:.
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
<peer-cert-nickname> CT,,
certutil -d sql:. -M -n "<peer-cert-nickname>" -t "P,,"
"NEW"
certutil -L -d sql:.
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
<peer-cert-nickname> P,,
Thank you very much!
Best regards.
Giuseppe
More information about the Swan
mailing list