Paul,
That set me on the right track. I was using a simple test CA certificate
which has been around for a long time with a 1024 bit signing key.
Replacing this with a new test CA with a 4096 bit key solved the
authentication problem. Is withdrawal of support for 1024 bit keys
declared anywhere?
There is definitely a bug in the ipsec (import) script when the CA name
has spaces. I have crudely fixed it by amending line 80 to
certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' | awk
'{$NF=""; print $0}' | awk '{gsub(/^ +| +$/,"")}'| grep -v "^$" | while
read -r cert; do
There may be a better way but this seems to remove the trailing white
space that was causing the problem for me.
Tony Whyman
MWA
On 08/09/15 16:06, Paul Wouters wrote:
Ok, then your issue has not been the update of the nss database. Your
problem then lies in the fact that we now use NSS for the certificate
validation instead of the very old freeswan based x509*.c code.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
