[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Wed Jul 8 10:44:10 EDT 2009

I bought some time this morning so I don't have to panic now.  :)

Earlier I figured, maybe I can just generate some new keys and see
what's different, so I did (from memory):

ipsec newhostkey --output /home/gregs/junk.secrets 

And it gave me an error saying I now need another parameter named

So this configdir must have something to do with this mysterious NSS
database, right?  

If I am reading the tea-leaves correctly, it looks like there was a
security bug in earlier versions of just about everything that generates
keys or certificates.  Openswan 2.6.22 fixes the bugs and evidently
RedHat backported the patches back to the 2.6.21 release that went out
with Fedora 11.  Or maybe it's a recent RedHat update to F11, not sure.

Regardless, if it's a security issue, we can't just keep using the old
version with (now) known security bugs.  If we need NSS then we need NSS
and we'll have to learn how to use it - whatever it is.  But now we have
an apparent compatibility problem because it also seems that keys
generated by the old version will not work with the new version.  At
least the local hostkey doesn't seem to work.  So that brings up some

1 - What else broke?

2 - If I upgrade the left side to the new version, do I need to upgrade
the right side to the new version at the same time or will the new
version interoperate with the old version?

3 - Any suggestions for phasing in the new version?


- Greg

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, July 08, 2009 7:10 AM
To: Greg Scott
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] CKAIDNSS keyword not found where expected
in RSAkey in /var/log/secure

On Wed, 8 Jul 2009, Greg Scott wrote:

> Lovely.  Nasty surprises are my friend.  :)
> In this case, I can get away with making new keys if needed, but I
have to be up and running by 8AM, about 1 1/2 hours from now.  I am
using RSA keys, how do I make keys inside the NSS database?  And what
the heck is the NSS database anyway?

Recompiling will be faster. 
There is a README.NSS in the doc/ directory (though I believe it did not
get included with the openswan-doc package yet)


More information about the Users mailing list