[Swan] [EXTERNAL] Re: AW: Re: AW: Re: AW: INVALID_ID_INFORMATION
Paul Wouters
paul at nohats.ca
Wed Apr 3 19:47:26 UTC 2019
I probably mixed up answering different emails :)
Sorry about that
Sent from mobile device
> On Apr 2, 2019, at 18:52, LAURIA Giuseppe <giuseppe.lauria at axa-winterthur.ch> wrote:
>
> Hi Paul.
>
> Where did you see " authby=secret " ?
>
> You mean the 'old' environment ( connections ) worked without NSS ?
>
> The new one I'm pretty sure that it uses the entries that I modified from 'CT' to 'P'.
>
> I do not know that I lied. I would say I do not know the ipsec stuff. Maybe I misconfigured libreswan but if the NSS was not used I did not know about.
>
> Thank you again.
> Best regards.
> Giuseppe
>
>
> -----Ursprüngliche Nachricht-----
> Von: Paul Wouters <paul at nohats.ca>
> Gesendet: Dienstag, 2. April 2019 18:35
> An: LAURIA Giuseppe <giuseppe.lauria at axa-winterthur.ch>
> Cc: swan at lists.libreswan.org
> Betreff: [EXTERNAL] Re: AW: Re: AW: Re: AW: [Swan] INVALID_ID_INFORMATION
>
>> On Tue, 2 Apr 2019, LAURIA Giuseppe wrote:
>>
>> We finally managed to have it running.
>
> Great!
>
>> I did not realize that the NSS database has to be 'correct'! In the past the NSS database was not; i.e. the peer public key was imported , but had the 'Trust Attribute' set to 'CT,,'. This worked in libreswan version libreswan-3.15-7.5.el6_9.x86_64.
>
> To be fair, all your connections showed authby=secret so no NSS database was used there. So you did lie a bit :)
>
>> certutil -d sql:. -M -n "<peer-cert-nickname>" -t "P,,"
>>
>>
>> "NEW"
>> certutil -L -d sql:.
>>
>> Certificate Nickname Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> <peer-cert-nickname> P,,
>
> That's good to know, I didn't know that. I tend to just generate a CA and peers.
>
> Paul
More information about the Swan
mailing list