Re: [Swan-dev] ikev2-12-x509-ikev1* tests fail

2015-09-08 Thread Paul Wouters
On Tue, 8 Sep 2015, Andrew Cagney wrote: these should be fixed if you add RETRANSMIT_INTERVAL_DEFAULT=1 to Makefile.inc.local and re-compile. I'm puzzled. These specific tests require their own custom build, or all our test builds require this tweak? I prefer to test what we ship (which

Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

2015-09-08 Thread Tony Whyman
Ubuntu 14.04 uses 3.19.2. On 08/09/15 20:44, Paul Wouters wrote: Our tests used nss-3.18.0-1.fc21. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

2015-09-08 Thread Paul Wouters
On Tue, 8 Sep 2015, Tony Whyman wrote: That set me on the right track. I was using a simple test CA certificate which has been around for a long time with a 1024 bit signing key. Replacing this with a new test CA with a 4096 bit key solved the authentication problem. Is withdrawal of support

Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

2015-09-08 Thread Tony Whyman
Paul, Thanks for getting back. If you look down my original EMail, I have already tried: certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C certutil: certificate is invalid: Peer's certificate issuer has been marked as not trusted by the user. rebecca ~ # certutil -M -d sql:/etc/ipsec.d

Re: [Swan-dev] ikev2-12-x509-ikev1* tests fail

2015-09-08 Thread Antony Antony
On Tue, Sep 08, 2015 at 02:19:47PM -0400, Andrew Cagney wrote: > On 7 September 2015 at 12:06, Paul Wouters wrote: > > On Sat, 5 Sep 2015, D. Hugh Redelmeier wrote: > > > >> I imagine that somebody changed something without updating the > >> reference logs. > >> > >> Please fix

Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

2015-09-08 Thread Paul Wouters
On Tue, 8 Sep 2015, Tony Whyman wrote: Subject: Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames Ubuntu 14.04 uses 3.19.2. On 08/09/15 20:44, Paul Wouters wrote: Our tests used nss-3.18.0-1.fc21. I just reran the test with nss-3.20 and the 1024 bit

Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

2015-09-08 Thread Tony Whyman
Paul, That set me on the right track. I was using a simple test CA certificate which has been around for a long time with a 1024 bit signing key. Replacing this with a new test CA with a 4096 bit key solved the authentication problem. Is withdrawal of support for 1024 bit keys declared

Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

2015-09-08 Thread Tony Whyman
Paul, One more point, I modified /usr/sbin/ipsec: set_db_trust to see what was happening i.e. set_db_trusts() { # has to handle a NSS nick with spaces certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' | awk '{$NF=""; print $0}' | grep -v "^$" | while read -r cert; do