[Openswan Users] OpenSWAN truncating NSS passwords

Avesh Agarwal avagarwa at redhat.com
Fri Oct 23 10:36:51 EDT 2009


On 10/23/2009 10:25 AM, John A. Sullivan III wrote:
> Hello, all.  We had quite an adventure this morning learning the hard
> way that RHEL/CentOS 5.4 have changed the openswan RPM to use NSS.  We
> are working again but may have stumbled across a bug (or a point of
> ignorance on our part!).
>
> It appears that when OpenSWAN passes the password to unlock the nss
> database, it truncates the last letter.  Here is what we experienced.
>
> We first tried to implement FIPS as we do try to run a secure site.
> Here is our procedure from our internal documentation:
>
>          Do the following to convert the old installation to the new one.
>          Create the NSS database using the medium security password:
>                  export NSS_DEFAULT_DB_TYPE="sql"
>                  certutil -N -d /etc/ipsec.d
>          Create the nsspassword file:
>                  NSS FIPS 140-2 Certificate DB:<password>
>                  chmod 660 /etc/ipsec.d/nsspassword
>          Enable FIPS:
>                  modutil -fips true -dbdir /etc/ipsec.d
>          We will need the original PKCS#12 packages rather than the
>          extracted keys and certs.  If we need to recreate the PKCS#12
>          file from the key and cert, do the following:
>                  openssl pkcs12 -export -in cert.pem -inkey key.pem
>                  -certfile cacert.pem -out certkey.p12 -name<nickname -
>                  if omitted it will be supplied automatically by pk12util
>                  during the import procedure below>
>          Import the PKCS#12 file:
>                  pk12util -i<file>.p12 -d /etc/ipsec.d
>          Import any other needed CA certs:
>                  certutil -d . -A -i otherca.pem -t "TCu,Cu,Tuw" -n
>                  OtherCANickName
>          create file /etc/ipsec.d/nss.certs with the following:
>                  @fqdn: RSA "<name of certificate in nss db>" ""
>          Edit /etc/ipsec.secrets to reflect the cert nick name rather
>          than the key:
>                  : RSA "<name of certificate in nss db>"
>          Edit your connection and replace the leftcert/rightcert with the
>          certificate nickname of the certificate in nss db.
>
> It failed to unlock the NSS database.  It showed the failed password
> in /var/log/secure and it was missing the last letter.  We thought it
> might be a FIPS thing so we disabled FIPS and changed the nsspassword
> file token name.  We saw the same failed result - the password missing
> the last letter.
>
> We thought we might be one letter too long as we do use long passwords
> so we changed the password on the NSS store to be the one which was
> being passed by OpenSWAN (i.e., without the last letter) and changed
> nsspassword.  The same results - it was now missing the new last letter.
>
> Finally we disabled password protection and it all worked.  Is this a
> bug or did we do something wrong? We'd like to enable FIPS and use
> password protection on the NSS store.  Thanks - John
>    
It is surprising why it is happening. Anyway as you say that it is 
truncating, one way of dealing with it, for example, say your password 
is "1234", may be you can put "1234x" in the file. Just a workaround.

I will look into it soon. But again, I have been using it and i did not 
experience it.

Thanks
Avesh




More information about the Users mailing list