On Tue, 8 Sep 2015, Tony Whyman wrote:
Thanks for getting back. If you look down my original EMail, I have already
tried:
certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is invalid: Peer's certificate issuer has been marked
as not trusted by the user.
rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
certutil: certificate is valid
but with no luck. I noted that your suggestion had two "," in it, so tried
that as well, just in case, but still the same result.
Ok, then your issue has not been the update of the nss database. Your
problem then lies in the fact that we now use NSS for the certificate
validation instead of the very old freeswan based x509*.c code.
Matt is a little more familiar with pulling on those kind of errors, so
I've CC:ed him on this. If you can, please give me and/or him a copy of
your CA cert so we can have a look at it.
I am thus guessing that because of the parse problem in the import script, no
one has actually tested 1.15 with a CA having spaces in its nickname - hence
this is why I think that this is where the problem lies.
No that is not the problem. See:
https://github.com/libreswan/libreswan/blob/master/testing/pluto/nss-cert-01-ikev2/west.console.txt
all our test cases use a CA called "Libreswan test CA for mainca - Libreswan"
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
