[Openswan Users] {Disarmed} Re: NSS mandatory?

Michael H. Warfield mhw at WittsEnd.com
Sun Jul 24 13:35:41 EDT 2011


On Sun, 2011-07-24 at 17:57 +0800, Curu Wong wrote: 
> in  CentOS 5, the distribution openswan rpm package use NSS. and seems
> there's no configuration option to disable that.  Maybe you  can download
> the source RPM and recompile it without NSS.

1) You can also do it by rebuilding the rpm.  Download and install the
source rpm and edit the .spec file and change these lines:

%define USE_LIBNSS 1
%define USE_FIPSCHECK 1

to

%define USE_LIBNSS 0
%define USE_FIPSCHECK 0

Probably want to bump the release count as well.

Rebuild, install, and disable from yum in yum.conf.  I was doing that
for ages till biting the bullet and getting NSS working.

2) The didn't switch to NSS to lock it down harder (that's more the FIPS
checking than NSS though NSS might be necessary for the FIPS checking).
They did it more to unify more of the crypto on the system under a
common package instead of having OpenSSL based packages and NSS based
packages and GPG based packages, etc, etc, etc.  I don't necessarily
agree with their choice of NSS for their target common system and I
don't necessarily think that unifying all the crypto under one common
paradigm is necessarily a good thing either.  One size fits all often
ends up a compromised of suboptimal results for everyone.  But that's
the choice they've made.

3) Turns out that switching to NSS is not that terribly difficult and it
then removes the burden of manually maintaining Openswan from there
onward as newer releases come out.  It ends up taking just a little bit
of time to convert from the flat file X.509 certs and storing those same
certs in the NSS database but, once it's done, you no longer have to
worry about an update breaking your setups.  In fact, once I had the
conversion script written, it took less time to convert a dozen or so
endpoints over to using NSS with the same certs I was using for flat
file X.509 certs than it did to scramble and recover the same endpoints
and the broken VPN after a single incident where an update knocked the
VPN off line.  A judicious choice of file names matching subject names
and you can even keep a copy of the certs in both flat files and the NSS
database and your installation becomes completely agnostic to whether
you have USE_LIBNSS enabled or disabled.  A big win in my book where I'm
doing development and testing.

If you search the archives for this list you'll find a lot of helpful
hints from myself and others on how to easily and painlessly convert.

Regards,
Mike


> 2011/7/24 Richard Pickett <richard.pickett at csrtechnologies.com>
> 
> > Hi all (Hi Paul!),
> >
> > Sooooo, I've got openswan installed stock-rpm on centos 5.1. I didn't do
> > anything special to recompile, install extra mods, etc.
> >
> > I'm using (as you guys probably know) x.509 auth on my connections. I
> > really don't want to use nss, but can. I just don't need that level of
> > lock-down.
> >
> > I'm thinking maybe NSS is mandatory now, I'm connecting w/ shrewsoft and as
> > soon as the connection starts this is what hits the /var/log/secure:
> >
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> > to=106
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set
> > to=108
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > received Vendor ID payload [RFC 3947] method set to=109
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > ignoring Vendor ID payload [FRAGMENTATION 80000000]
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > received Vendor ID payload [Dead Peer Detection]
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > ignoring unknown Vendor ID payload
> > [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
> > Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> > received Vendor ID payload [Cisco-Unity]
> > Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> > responding to Main Mode from unknown peer 74.137.71.67
> > Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> > STATE_MAIN_R1: sent MR1, expecting MI2
> > Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> > NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
> > *Jul 23 18:37:18 vhost5 pluto[4810]: NSS: DH private key creation failed*
> > Jul 23 18:37:29 vhost5 ipsec__plutorun: Restarting Pluto subsystem...
> > *Jul 23 18:37:29 vhost5 pluto[5363]: nss directory plutomain: /etc/ipsec.d
> > *
> > *Jul 23 18:37:29 vhost5 pluto[5363]: NSS Initialized*
> > Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
> > /proc/sys/crypto/fips_enabled, returning non-fips mode
> > Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
> > /proc/sys/crypto/fips_enabled, returning non-fips mode
> > Jul 23 18:37:29 vhost5 pluto[5363]: Starting Pluto (Openswan Version
> > 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:5363
> > Jul 23 18:37:29 vhost5 pluto[5363]: Setting NAT-Traversal port-4500
> > floating to on
> > Jul 23 18:37:29 vhost5 pluto[5363]:    port floating activation criteria
> > nat_t=1/port_float=1
> > Jul 23 18:37:29 vhost5 pluto[5363]:    including NAT-Traversal patch
> > (Version 0.6c)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > OAKLEY_TWOFISH_CBC: Ok (ret=0)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > OAKLEY_SERPENT_CBC: Ok (ret=0)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > OAKLEY_AES_CBC: Ok (ret=0)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
> > OAKLEY_SHA2_512: Ok (ret=0)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
> > OAKLEY_SHA2_256: Ok (ret=0)
> >  Jul 23 18:37:29 vhost5 pluto[5363]: starting up 3 cryptographic helpers
> > Jul 23 18:37:29 vhost5 pluto[5363]: main fd(8) helper fd(9)
> > Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1097259328
> > (fd:8)
> > Jul 23 18:37:29 vhost5 pluto[5363]: main fd(10) helper fd(11)
> > Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1105652032
> > (fd:10)
> > Jul 23 18:37:29 vhost5 pluto[5363]: main fd(12) helper fd(13)
> > Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1114044736
> > (fd:12)
> > Jul 23 18:37:29 vhost5 pluto[5363]: Using Linux 2.6 IPsec interface code on
> > 2.6.39.1-x86_64-linode19 (experimental code)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> > alg=0 not found in constants.c:oakley_enc_names
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > <NULL>: Ok (ret=0)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> > alg=0 not found in constants.c:oakley_enc_names
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> > exists
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > <NULL>: FAILED (ret=-17)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> > alg=0 not found in constants.c:oakley_enc_names
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> > exists
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > <NULL>: FAILED (ret=-17)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> > alg=0 not found in constants.c:oakley_enc_names
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> > exists
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > <NULL>: FAILED (ret=-17)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> > alg=0 not found in constants.c:oakley_enc_names
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> > exists
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > <NULL>: FAILED (ret=-17)
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> > alg=0 not found in constants.c:oakley_enc_names
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> > exists
> > Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> > <NULL>: FAILED (ret=-17)
> > Jul 23 18:37:29 vhost5 pluto[5363]: Changed path to directory
> > '/etc/ipsec.d/cacerts'
> > Jul 23 18:37:29 vhost5 pluto[5363]:   loaded CA cert file 'ca_crt.pem'
> > (3816 bytes)
> > Jul 23 18:37:29 vhost5 pluto[5363]:   loaded CA cert file
> > '0000-SERVER-CA.pem' (3816 bytes)
> > Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
> > '/etc/ipsec.d/aacerts': /etc/ipsec.d
> > Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
> > '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
> > Jul 23 18:37:29 vhost5 pluto[5363]: Changing to directory
> > '/etc/ipsec.d/crls'
> > Jul 23 18:37:29 vhost5 pluto[5363]:   loaded crl file
> > 'mobile_aegils_crl.pem' (1783 bytes)
> > Jul 23 18:37:29 vhost5 pluto[5363]: | NSS: length of decrypted sig = 35
> > Jul 23 18:37:29 vhost5 pluto[5363]: | NSS : RSA Signature verified, hash
> > values matched
> > Jul 23 18:37:29 vhost5 pluto[5363]: loading certificate from
> > 0000-SERVER-CERT.pem
> > Jul 23 18:37:29 vhost5 pluto[5363]:     could not open host cert with nick
> > name '0000-SERVER-CERT.pem' in NSS DB
> > Jul 23 18:37:29 vhost5 pluto[5363]: added connection description
> > "mobileaegisclient"
> > Jul 23 18:37:29 vhost5 pluto[5363]: listening for IKE messages
> > Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
> > 192.168.141.50:500
> > Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
> > 192.168.141.50:4500
> > Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
> > 173.255.254.20:500
> > Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
> > 173.255.254.20:4500
> > Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:500
> > Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:4500
> > Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo ::1:500
> > Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
> > "/etc/ipsec.secrets"
> > Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
> > "/etc/ipsec.d/ca.secrets"
> > *Jul 23 18:37:33 vhost5 pluto[5363]: packet from 74.137.71.67:55197: phase
> > 1 message is part of an unknown exchange*
> >
> >
> > Since it restarts pluto, naturally it has no idea what this message is,
> > since it's already forgot this conversation.
> >
> > Am I right about NSS? Is there a way to turn it off, or do I just have to
> > bite the bullet? If I use NSS, how much of my ipsec rsa config gets changed?
> >
> > Thanks!
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> >
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110724/40faaaa9/attachment.bin 


More information about the Users mailing list