[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure
avagarwa at redhat.com
Wed Jul 8 11:13:33 EDT 2009
Greg Scott wrote:
> I bought some time this morning so I don't have to panic now. :)
> Earlier I figured, maybe I can just generate some new keys and see
> what's different, so I did (from memory):
> ipsec newhostkey --output /home/gregs/junk.secrets
> And it gave me an error saying I now need another parameter named
You need to first create a NSS db as follows
certutil -N -d sql:/etc/ipsec.d
Then create keys as follows
ipsec newhostkey --configdir /etc/ipsec.d --password <password> --output
/etc/ipsec.d/ipsec.secrets (password is need only if you create NSS
> So this configdir must have something to do with this mysterious NSS
> database, right?
> If I am reading the tea-leaves correctly, it looks like there was a
> security bug in earlier versions of just about everything that generates
> keys or certificates. Openswan 2.6.22 fixes the bugs and evidently
> RedHat backported the patches back to the 2.6.21 release that went out
> with Fedora 11. Or maybe it's a recent RedHat update to F11, not sure.
> Regardless, if it's a security issue, we can't just keep using the old
> version with (now) known security bugs. If we need NSS then we need NSS
> and we'll have to learn how to use it - whatever it is. But now we have
> an apparent compatibility problem because it also seems that keys
> generated by the old version will not work with the new version. At
> least the local hostkey doesn't seem to work. So that brings up some
> 1 - What else broke?
Now PSK support is also released in Fedora, check the version 2.6.21-5
in Fedora 11. So hopefully nothing is broken or until we find out.
> 2 - If I upgrade the left side to the new version, do I need to upgrade
> the right side to the new version at the same time or will the new
> version interoperate with the old version?
It should operate with old versions (or versions with out NSS).
> 3 - Any suggestions for phasing in the new version?
> - Greg
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Wednesday, July 08, 2009 7:10 AM
> To: Greg Scott
> Cc: users at lists.openswan.org
> Subject: RE: [Openswan Users] CKAIDNSS keyword not found where expected
> in RSAkey in /var/log/secure
> On Wed, 8 Jul 2009, Greg Scott wrote:
>> Lovely. Nasty surprises are my friend. :)
>> In this case, I can get away with making new keys if needed, but I
> have to be up and running by 8AM, about 1 1/2 hours from now. I am
> using RSA keys, how do I make keys inside the NSS database? And what
> the heck is the NSS database anyway?
> Recompiling will be faster.
> There is a README.NSS in the doc/ directory (though I believe it did not
> get included with the openswan-doc package yet)
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users