Re: [Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

Tue, 08 Sep 2015 07:23:18 -0700 

Paul,
Thanks for getting back. If you look down my original EMail, I have already tried: 

certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C

certutil: certificate is invalid: Peer's certificate issuer has been 
marked as not trusted by the user.

rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is valid


but with no luck. I noted that your suggestion had two "," in it, so 
tried that as well, just in case, but still the same result.



There are probably two problems here. The first is with the import 
script. I had a good look at the updated script, hence the above. It 
looks like it is not parsing the cert nickname correctly when there is a 
space in it - hence the error message - but this is recoverable by 
explicit use of certutil. The bigger problem is why does the 
authentication still fail. This worked before with 1.13 and works with 
Openswan using the same certificates.



I have also purged all old copies of libreswan and openswan from the 
test system to try and get it to a well known state, in case that was 
the problem.



I am thus guessing that because of the parse problem in the import 
script, no one has actually tested 1.15 with a CA having spaces in its 
nickname - hence this is why I think that this is where the problem lies.


Tony Whyman
MWA


On 08/09/15 13:33, Paul Wouters wrote:

On Tue, 8 Sep 2015, Tony Whyman wrote:


Subject: [Swan] Does libreswan 1.15 have a problem with spaces in CA 
common

    names/nicknames



certutil -L -d sql:/etc/ipsec.d

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

rebecca.mwassocs.co.uk u,u,u
MWA Root CA                                                  ,,


You are missing the trust bits on your CA certificate. Upgrading should
have caused you to run ipsec --checknss which should have added the
trust bits for you. I wonder what that did not happen.

try:

certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t 'CT,,'

Paul


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to