[Openswan Users] OpenSWAN truncating NSS passwords

Fri Oct 23 10:25:22 EDT 2009

Hello, all.  We had quite an adventure this morning learning the hard
way that RHEL/CentOS 5.4 have changed the openswan RPM to use NSS.  We
are working again but may have stumbled across a bug (or a point of
ignorance on our part!).

It appears that when OpenSWAN passes the password to unlock the nss
database, it truncates the last letter.  Here is what we experienced.

We first tried to implement FIPS as we do try to run a secure site.
Here is our procedure from our internal documentation:

        Do the following to convert the old installation to the new one.
        Create the NSS database using the medium security password:
                export NSS_DEFAULT_DB_TYPE="sql"
                certutil -N -d /etc/ipsec.d
        Create the nsspassword file:
                NSS FIPS 140-2 Certificate DB:<password>
                chmod 660 /etc/ipsec.d/nsspassword
        Enable FIPS:
                modutil -fips true -dbdir /etc/ipsec.d
        We will need the original PKCS#12 packages rather than the
        extracted keys and certs.  If we need to recreate the PKCS#12
        file from the key and cert, do the following:
                openssl pkcs12 -export -in cert.pem -inkey key.pem
                -certfile cacert.pem -out certkey.p12 -name <nickname -
                if omitted it will be supplied automatically by pk12util
                during the import procedure below>
        Import the PKCS#12 file:
                pk12util -i <file>.p12 -d /etc/ipsec.d 
        Import any other needed CA certs:
                certutil -d . -A -i otherca.pem -t "TCu,Cu,Tuw" -n
                OtherCANickName
        create file /etc/ipsec.d/nss.certs with the following:
                @fqdn: RSA "<name of certificate in nss db>" ""
        Edit /etc/ipsec.secrets to reflect the cert nick name rather
        than the key:
                : RSA "<name of certificate in nss db>"
        Edit your connection and replace the leftcert/rightcert with the
        certificate nickname of the certificate in nss db.

It failed to unlock the NSS database.  It showed the failed password
in /var/log/secure and it was missing the last letter.  We thought it
might be a FIPS thing so we disabled FIPS and changed the nsspassword
file token name.  We saw the same failed result - the password missing
the last letter.

We thought we might be one letter too long as we do use long passwords
so we changed the password on the NSS store to be the one which was
being passed by OpenSWAN (i.e., without the last letter) and changed
nsspassword.  The same results - it was now missing the new last letter.

Finally we disabled password protection and it all worked.  Is this a
bug or did we do something wrong? We'd like to enable FIPS and use
password protection on the NSS store.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society