[Openswan Users] OpenSWAN truncating NSS passwords

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Oct 24 04:42:18 EDT 2009 

On Sat, 2009-10-24 at 08:50 +0300, Tuomo Soini wrote:
> Avesh Agarwal wrote:
> 
> > It is surprising why it is happening. Anyway as you say that it is 
> > truncating, one way of dealing with it, for example, say your password 
> > is "1234", may be you can put "1234x" in the file. Just a workaround.
> 
> I have a guess. I think he didn't insert lf at the end of the line an
> code looks for it and removes. So code should be changed to check for lf
>  and possibly crlf et the end of the line and only remove it if those
> are there.
> 
> > I will look into it soon. But again, I have been using it and i did not 
> > experience it.
> 
Yes, I do have more information.  Inserting the line feed seems to send
the correct password now.  However, it is still not working.  There
seems to be some confusion about where passwords go - certainly in my
mind.  There are three possible
files, /etc/ipsec.secrets, /etc/ipsec.d/nss.certs,
and /etc/ipsec.d/nsspassword.

The documentation says the NSS store password goes in nsspassword so
that's where I placed it.

I've heard conflicting advice about the rest.  I interpreted the
documentation to say that ipsec.secrets should contain the nickname of
the cert.  It said nothing about passwords.  If it should take a
password, I do not know if it is the password for the store or the key.
I have also been told that it is completely unnecessary.

The documentation also says to create nss.certs with the nick name of
the cert.  It mentioned nothing about passwords but I've also been told
that the store password goes there.

So here are the results from the various permutations:
No passwords anywhere except nsspassword.  Certs referenced without
passwords in both ipsec.secrets and nss.certs:
Oct 24 04:29:51 fw01 ipsec__plutorun: Starting Pluto subsystem...
Oct 24 04:29:51 fw01 pluto[12480]: nss directory plutomain: /etc/ipsec.d
Oct 24 04:29:51 fw01 pluto[12480]: NSS Initialized
Oct 24 04:29:51 fw01 pluto[12480]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Oct 24 04:29:51 fw01 pluto[12480]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Oct 24 04:29:52 fw01 pluto[12480]: Changing to directory '/etc/ipsec.d/crls'
Oct 24 04:29:52 fw01 pluto[12480]:   loaded crl file 'SSICRL.pem' (1669 bytes)
Oct 24 04:29:52 fw01 pluto[12480]: | NSS: length of decrypted sig = 35
Oct 24 04:29:52 fw01 pluto[12480]: | NSS : RSA Signature verified, hash values matched
Oct 24 04:29:52 fw01 pluto[12480]: loading certificate from fw01.ssiservices.biz - biz
Oct 24 04:29:52 fw01 pluto[12480]: added connection description "a10-Aville2Net192"
Oct 24 04:29:52 fw01 pluto[12480]: loading certificate from fw01.ssiservices.biz - biz
Oct 24 04:29:52 fw01 pluto[12480]: added connection description "a10-Aville2Net172"
Oct 24 04:29:52 fw01 pluto[12480]: loading secrets from "/etc/ipsec.secrets"
Oct 24 04:29:52 fw01 pluto[12480]: loaded private key for keyid: PPK_RSA:AwEAAa9J8
Oct 24 04:29:52 fw01 pluto[12480]: "a10-Aville2Net192" #1: initiating Main Mode
Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: initiating Main Mode
ct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: I am sending my cert
Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: I am sending a certificate request
Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: Password passed to NSS is NSS Generic Crypto Services:<Correct - but it must think it is wrong or it wouldn't print it>
Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: Password passed to NSS is NSS Generic Crypto Services:<Correct - but it must think it is wrong or it wouldn't print it>
Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: Can't find the private key from the NSS CERT (err -8177)

Put password into nss.certs but not ipsec.secrets:
Same as above

Put password in both nss.certs and ipsec.secrets:
Same as above

Put password into ipsec.secrets only:
Almost the same as above except we see:
Oct 24 04:37:25 fw01 pluto[14011]: "a10-Aville2Net192" #3: Main mode peer ID is ID_DER_ASN1_DN: 'DC=com, DC=ebc-co, OU=VPNGateways, CN=AmityvilleSGGW'
Oct 24 04:37:25 fw01 pluto[14011]: | NSS: length of decrypted sig = 35
Oct 24 04:37:25 fw01 pluto[14011]: | NSS : RSA Signature verified, hash values matched
Oct 24 04:37:25 fw01 pluto[14011]: "a10-Aville2Net192" #3: no crl from issuer "DC=biz, DC=ssiservices, OU=PKI, CN=ssiclientca" found (strict=no)
Oct 24 04:37:25 fw01 pluto[14011]: | NSS: length of decrypted sig = 35
Oct 24 04:37:25 fw01 pluto[14011]: | NSS : RSA Signature verified, hash values matched
Oct 24 04:37:25 fw01 pluto[14011]: "a10-Aville2Net192" #3: I am sending my cert

I don't know if this is because the other side was initiating or because
there is some difference.  In any event, it still fails.

What do we do next to troubleshoot? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the Users mailing list