[Swan] [EXTERNAL] Re: AW: Re: AW: INVALID_ID_INFORMATION

Tue Apr 2 16:04:20 UTC 2019

Hi Paul.

Thank you very much for the help !

We finally managed to have it running.

I did not realize that the NSS database has to be 'correct'! In the past the NSS database was not; i.e. the peer public key was imported , but had the 'Trust Attribute' set to 'CT,,'. This worked in libreswan version libreswan-3.15-7.5.el6_9.x86_64.

Now with your valuable input and the good questions of a colleague, I found that it must be 'P,,' for libreswan-3.25-4.1.el7_6.x86_64 :  

So I had to correct the NSS database using command certutil and -t ( trustargs ) with attribute 'P' ( Trusted peer ).

"OLD"
certutil -L -d sql:.

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

<peer-cert-nickname>                                         CT,,

certutil -d sql:.  -M -n "<peer-cert-nickname>" -t "P,,"

"NEW"
certutil -L -d sql:.

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

<peer-cert-nickname>                                         P,,

Thank you very much!

Best regards.
Giuseppe