Paul,
One more point, I modified /usr/sbin/ipsec: set_db_trust to see what was
happening i.e.
set_db_trusts() {
# has to handle a NSS nick with spaces
certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME'
| awk '{$NF=""; print $0}' | grep -v "^$" | while read -r cert; do
echo "Trying '$cert'"
if certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -q
'Is a CA' &&
[ $(certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -i
-A3 'ssl flags' | grep -i 'trusted' | wc -l) -ne 2 ]; then
echo "correcting trust bits for ${cert}"
certutil -M -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" -t 'CT,,'
fi
done
}
note the echo statement.
The result of running the script is now:
pk12util: PKCS12 IMPORT SUCCESSFUL
Trying 'rebecca.mwassocs.co.uk'
Trying 'MWA Root CA '
certutil: Could not find cert: MWA Root CA
: PR_FILE_NOT_FOUND_ERROR: File not found
Note the space at the end of the "cert" variable. This is why the script
fails.
Tony Whyman
MWA
On 08/09/15 15:21, Tony Whyman wrote:
Paul,
Thanks for getting back. If you look down my original EMail, I have
already tried:
certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is invalid: Peer's certificate issuer has been
marked as not trusted by the user.
rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is valid
but with no luck. I noted that your suggestion had two "," in it, so
tried that as well, just in case, but still the same result.
There are probably two problems here. The first is with the import
script. I had a good look at the updated script, hence the above. It
looks like it is not parsing the cert nickname correctly when there is
a space in it - hence the error message - but this is recoverable by
explicit use of certutil. The bigger problem is why does the
authentication still fail. This worked before with 1.13 and works with
Openswan using the same certificates.
I have also purged all old copies of libreswan and openswan from the
test system to try and get it to a well known state, in case that was
the problem.
I am thus guessing that because of the parse problem in the import
script, no one has actually tested 1.15 with a CA having spaces in its
nickname - hence this is why I think that this is where the problem lies.
Tony Whyman
MWA
On 08/09/15 13:33, Paul Wouters wrote:
On Tue, 8 Sep 2015, Tony Whyman wrote:
Subject: [Swan] Does libreswan 1.15 have a problem with spaces in CA
common
names/nicknames
certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
rebecca.mwassocs.co.uk u,u,u
MWA Root CA ,,
You are missing the trust bits on your CA certificate. Upgrading should
have caused you to run ipsec --checknss which should have added the
trust bits for you. I wonder what that did not happen.
try:
certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t 'CT,,'
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
