[Openswan Users] OpenSWAN truncating NSS passwords

Marek Greško gresko at thr.sk
Fri Oct 23 10:42:30 EDT 2009 

Dňa Pi 23. Október 2009 John A. Sullivan III napísal:
> Hello, all.  We had quite an adventure this morning learning the hard
> way that RHEL/CentOS 5.4 have changed the openswan RPM to use NSS.  We
> are working again but may have stumbled across a bug (or a point of
> ignorance on our part!).
> 
> It appears that when OpenSWAN passes the password to unlock the nss
> database, it truncates the last letter.  Here is what we experienced.
> 
> We first tried to implement FIPS as we do try to run a secure site.
> Here is our procedure from our internal documentation:
> 
>         Do the following to convert the old installation to the new one.
>         Create the NSS database using the medium security password:
>                 export NSS_DEFAULT_DB_TYPE="sql"
>                 certutil -N -d /etc/ipsec.d
>         Create the nsspassword file:
>                 NSS FIPS 140-2 Certificate DB:<password>
>                 chmod 660 /etc/ipsec.d/nsspassword
>         Enable FIPS:
>                 modutil -fips true -dbdir /etc/ipsec.d
>         We will need the original PKCS#12 packages rather than the
>         extracted keys and certs.  If we need to recreate the PKCS#12
>         file from the key and cert, do the following:
>                 openssl pkcs12 -export -in cert.pem -inkey key.pem
>                 -certfile cacert.pem -out certkey.p12 -name <nickname -
>                 if omitted it will be supplied automatically by pk12util
>                 during the import procedure below>
>         Import the PKCS#12 file:
>                 pk12util -i <file>.p12 -d /etc/ipsec.d
>         Import any other needed CA certs:
>                 certutil -d . -A -i otherca.pem -t "TCu,Cu,Tuw" -n
>                 OtherCANickName
>         create file /etc/ipsec.d/nss.certs with the following:
>                 @fqdn: RSA "<name of certificate in nss db>" ""

If your nss database is protected by a password, it goes also there (thought 
it is mypassword:
                 @fqdn: RSA "<name of certificate in nss db>" "mypassword"


>         Edit /etc/ipsec.secrets to reflect the cert nick name rather
> 
>         than the key:
>                 : RSA "<name of certificate in nss db>"

/etc/ipsec.secrets should contain only:

include /etc/ipsec.d/*.secrets


Hope this helps.

M.

> 
>         Edit your connection and replace the leftcert/rightcert with the
>         certificate nickname of the certificate in nss db.
> 
> It failed to unlock the NSS database.  It showed the failed password
> in /var/log/secure and it was missing the last letter.  We thought it
> might be a FIPS thing so we disabled FIPS and changed the nsspassword
> file token name.  We saw the same failed result - the password missing
> the last letter.
> 
> We thought we might be one letter too long as we do use long passwords
> so we changed the password on the NSS store to be the one which was
> being passed by OpenSWAN (i.e., without the last letter) and changed
> nsspassword.  The same results - it was now missing the new last letter.
> 
> Finally we disabled password protection and it all worked.  Is this a
> bug or did we do something wrong? We'd like to enable FIPS and use
> password protection on the NSS store.  Thanks - John
> 


-- 
Marek Greško
systémový administrátor
THR Systems, a. s.
tel.: +421 650 52 00 24

Naša spoločnosť vytvára neustále nové pracovné miesta, preto neprehliadnite 
našu ponuku: http://www.thrsystems.com/2006/sk/ospolocnosti/index.php#kariera

More information about the Users mailing list