[Openswan dev] [slanser at tallmaple.com: Re: [Openswan Users] unsupported dh groups?]

Steve Lanser slanser at tallmaple.com
Tue Feb 14 13:27:39 EST 2012

Reminder to myself an others that this needs follow-up.

Did Avesh every have a reply to this?

We're obviously hard pressed IKEv2 issues right now, but this is a serious
enough issue for us that we'll need to get a fix for in the near future.

If there's good reason to believe that compiling without NSS will be a
workaround, we can do that, but I'd like something to back that up.


----- Forwarded message from Steve Lanser <slanser at tallmaple.com> -----

X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
X-Spam-Status: No, score=-1.0 required=8.0 tests=ALL_TRUSTED autolearn=ham
Date: Fri, 6 Jan 2012 14:11:00 -0800
From: Steve Lanser <slanser at tallmaple.com>
To: Paul Wouters <paul at nohats.ca>
Cc: Steve Lanser <slanser at tallmaple.com>, Avesh Agarwal <avagarwa at redhat.com>,
        users at openswan.org
Subject: Re: [Openswan Users] unsupported dh groups?
In-Reply-To: <alpine.LFD.2.02.1201061652170.20047 at bofh.nohats.ca>
User-Agent: Mutt/

On Fri, Jan 06, 2012 at 04:54:00PM -0500, Paul Wouters wrote:
> On Thu, 5 Jan 2012, Steve Lanser wrote:
> >>>While it accepts the configuration of the following Diffie Hellman 
> >>>groups:
> >>>
> >>>  modp3072 (group 15)
> >>>  modp4096 (group 16)
> >>>  modp6144 (group 17)
> >>>  modp8192 (group 18)
> >>>These all fail once peer negotiation ensues, and pluto rather 
> >>>dramatically
> >>>aborts (something that no connection problem should ever cause a daemon 
> >>>to
> >>>do in my opinion):
> >>
> >>That should never happen. Can you get us a gdb backtrace ?
> >139     privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, &dhp,
> >&pubk, PR_FALSE, PR_TRUE, osw_retu    rn_nss_password_file_info());
> >140     if(!privk) {
> >141         loglog(RC_LOG_SERIOUS, "NSS: DH private key creation failed");
> >142     }
> >143     PR_ASSERT(privk!=NULL);
> Does NSS not support these groups? Avesh?
> >>Did your compile enable USE_MODP_RFC5114?=true (the default)
> >Yes, by default.  The three RFC5114 groups 22, 23 and 24 appear to work.
> Did you try compiling without NSS?
No I haven't.  I don't have direct control of our openswan build (it's
handled under our platform build process), so I can't do this right away.

I'm unfamiliar with the differences.  Are there any interesting IPsec
features or behaviors we might loose if we don't use LIBNSS?

> Paul

----- End forwarded message -----

More information about the Dev mailing list