On Tue, 8 Sep 2015, Tony Whyman wrote:
That set me on the right track. I was using a simple test CA certificate
which has been around for a long time with a 1024 bit signing key. Replacing
this with a new test CA with a 4096 bit key solved the authentication
problem. Is withdrawal of support for 1024 bit keys declared anywhere?
That's odd, because we test with a CA of 1024 bit and most client certs
of 1024 except "bigkey" which is 2048 and "key4096". And those tests
pass for us. So I am not convinced it is the keysize, although it is
possible that the version of nss matters for this. Our tests used
nss-3.18.0-1.fc21.
There is definitely a bug in the ipsec (import) script when the CA name has
spaces. I have crudely fixed it by amending line 80 to
certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' | awk
'{$NF=""; print $0}' | awk '{gsub(/^ +| +$/,"")}'| grep -v "^$" | while read
-r cert; do
There may be a better way but this seems to remove the trailing white space
that was causing the problem for me.
Thanks, we will fix the trailing space issue for the next release.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
