[Openswan Users] nss DH woes

Kevin Keane subscription at kkeane.com
Mon Aug 1 13:04:55 EDT 2011


> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> On Behalf Of Tuomo Soini
> Sent: Monday, August 01, 2011 1:20 AM
> To: users at openswan.org
> Subject: Re: [Openswan Users] nss DH woes
> 
> On Fri, 29 Jul 2011 20:21:58 -0700
> Kevin Keane <subscription at kkeane.com> wrote:
> 
> > I found my problem. It was a misconfiguration.
> >
> > There still is a bug here: openswan fails very ungracefully in this
> > situation, and the error messages give no hint as to what actually is
> > wrong.
> >
> > My nsspassword file was wrong. It should contain ONLY the password. I
> > had a prefix in it, as follows:
> >
> > NSS FIPS 140-2 Certificate DB:XXXXXXXXXXXXXXXXX
> 
> This is correct way to define password.
> 
> nsspassword requires the prefix.
> 
> If your setup works without prefix it means you have nss db without password
> set. Documentation is correct here. Generally what you did was same than
> removing nsspassword file.

No, that is definitely not the case. The nss db has a password; I can verify that with certutil: certutil -K -d /etc/ipsec.d asks for a password, and only shows me the keys in the database when I type the correct one.

Maybe it has to do with FIPS mode/non-FIPS mode. Or maybe RedHat implemented a patch that doesn't use the prefix.



More information about the Users mailing list