I probably mixed up answering different emails :) Sorry about that
Sent from mobile device > On Apr 2, 2019, at 18:52, LAURIA Giuseppe <[email protected]> > wrote: > > Hi Paul. > > Where did you see " authby=secret " ? > > You mean the 'old' environment ( connections ) worked without NSS ? > > The new one I'm pretty sure that it uses the entries that I modified from > 'CT' to 'P'. > > I do not know that I lied. I would say I do not know the ipsec stuff. Maybe I > misconfigured libreswan but if the NSS was not used I did not know about. > > Thank you again. > Best regards. > Giuseppe > > > -----Ursprüngliche Nachricht----- > Von: Paul Wouters <[email protected]> > Gesendet: Dienstag, 2. April 2019 18:35 > An: LAURIA Giuseppe <[email protected]> > Cc: [email protected] > Betreff: [EXTERNAL] Re: AW: Re: AW: Re: AW: [Swan] INVALID_ID_INFORMATION > >> On Tue, 2 Apr 2019, LAURIA Giuseppe wrote: >> >> We finally managed to have it running. > > Great! > >> I did not realize that the NSS database has to be 'correct'! In the past the >> NSS database was not; i.e. the peer public key was imported , but had the >> 'Trust Attribute' set to 'CT,,'. This worked in libreswan version >> libreswan-3.15-7.5.el6_9.x86_64. > > To be fair, all your connections showed authby=secret so no NSS database was > used there. So you did lie a bit :) > >> certutil -d sql:. -M -n "<peer-cert-nickname>" -t "P,," >> >> >> "NEW" >> certutil -L -d sql:. >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> <peer-cert-nickname> P,, > > That's good to know, I didn't know that. I tend to just generate a CA and > peers. > > Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
