[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Avesh Agarwal avagarwa at redhat.com
Wed Jul 8 11:13:33 EDT 2009 

Greg Scott wrote:
> I bought some time this morning so I don't have to panic now.  :)
>
> Earlier I figured, maybe I can just generate some new keys and see
> what's different, so I did (from memory):
>
> ipsec newhostkey --output /home/gregs/junk.secrets 
>
> And it gave me an error saying I now need another parameter named
> configdir.  
>   
You need to first create a NSS db as follows

certutil -N -d sql:/etc/ipsec.d

Then create keys as follows

ipsec newhostkey --configdir /etc/ipsec.d --password <password> --output 
/etc/ipsec.d/ipsec.secrets  (password is need only if you create NSS 
databse password)

> So this configdir must have something to do with this mysterious NSS
> database, right?  
>
> If I am reading the tea-leaves correctly, it looks like there was a
> security bug in earlier versions of just about everything that generates
> keys or certificates.  Openswan 2.6.22 fixes the bugs and evidently
> RedHat backported the patches back to the 2.6.21 release that went out
> with Fedora 11.  Or maybe it's a recent RedHat update to F11, not sure.
>
>
> Regardless, if it's a security issue, we can't just keep using the old
> version with (now) known security bugs.  If we need NSS then we need NSS
> and we'll have to learn how to use it - whatever it is.  But now we have
> an apparent compatibility problem because it also seems that keys
> generated by the old version will not work with the new version.  At
> least the local hostkey doesn't seem to work.  So that brings up some
> questions:
>
> 1 - What else broke?
>   
Now PSK support is also released in Fedora, check the version 2.6.21-5 
in Fedora 11. So hopefully nothing is broken or until we find out.

> 2 - If I upgrade the left side to the new version, do I need to upgrade
> the right side to the new version at the same time or will the new
> version interoperate with the old version?
>
>   
It should operate with old versions (or versions with out NSS).

Avesh
> 3 - Any suggestions for phasing in the new version?
>
> Thanks
>
> - Greg
>
>
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: Wednesday, July 08, 2009 7:10 AM
> To: Greg Scott
> Cc: users at lists.openswan.org
> Subject: RE: [Openswan Users] CKAIDNSS keyword not found where expected
> in RSAkey in /var/log/secure
>
> On Wed, 8 Jul 2009, Greg Scott wrote:
>
>   
>> Lovely.  Nasty surprises are my friend.  :)
>>
>> In this case, I can get away with making new keys if needed, but I
>>     
> have to be up and running by 8AM, about 1 1/2 hours from now.  I am
> using RSA keys, how do I make keys inside the NSS database?  And what
> the heck is the NSS database anyway?
>
> Recompiling will be faster. 
> There is a README.NSS in the doc/ directory (though I believe it did not
> get included with the openswan-doc package yet)
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list