[Openswan Users] nss DH woes

Richard Pickett richard.pickett at csrtechnologies.com
Sat Jul 30 21:41:33 EDT 2011


>
> I found my problem. It was a misconfiguration.****
>
> ** **
>
> There still is a bug here: openswan fails very ungracefully in this
> situation, and the error messages give no hint as to what actually is wrong.
> ****
>
> ** **
>
> My nsspassword file was wrong. It should contain ONLY the password. I had a
> prefix in it, as follows:****
>
> ** **
>
> NSS FIPS 140-2 Certificate DB:XXXXXXXXXXXXXXXXX
>

I was using nss w/ out a password (allowed according to the docs). I'll try
it with a password right now.

In light of Kevin's finding, someone should update README.nss as it contains
this:

Important thing to note:
i) You only need the "nsspassword" file if you run pluto in FIPS. In other
way,
if you run pluto in normal or NonFIPS mode, then you can create the NSS
database without password, and you need not create a "nsspassword" file.
However, if the NSS db is created with a password, the "nsspassword" file
must
also be provided.

ii) An example of nsspassword file is as follows:

token_1_name:its_password
token_2_name:its_password

For example, the name of NSS softtoken (or NSS database) is
"NSS Certificate DB" in NonFIPS mode, and assume that its password is xyz.
So an entry for this in nsspassword file can be:

NSS Certificate DB:xyz

Please note that if FIPS mode is set, then the name of NSS softtoken is
"NSS FIPS 140-2 Certificate DB". If there are smartcards in the system,
there
entries for passwords should also be entered in this file. Please note,
that
there should not be any blank space before the token name, before and after
colon and after the password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110730/991dd5b3/attachment.html 


More information about the Users mailing list