Re: [CentOS] upgrade to 5.4 openswan broke
On Fri, Oct 23, 2009 at 5:33 AM, Myron Williams l...@wcstc.com wrote: Any help would be appreciated. I just got told that you have to feed all certificates to nss storage instead of having them in pem files. See README.nss for more hints. Regards, Ralph ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] upgrade to 5.4 openswan broke
Ralph Angenendt wrote: I just got told that you have to feed all certificates to nss storage instead of having them in pem files. See README.nss for more hints. I found these remarks, as also /usr/share/doc/openssh-4.3p2/README.nss, more or less unintelligible. Does one really have to do this? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] upgrade to 5.4 openswan broke
On Fri, Oct 23, 2009 at 1:28 PM, Timothy Murphy gayle...@eircom.net wrote: Ralph Angenendt wrote: I just got told that you have to feed all certificates to nss storage instead of having them in pem files. See README.nss for more hints. I found these remarks, as also /usr/share/doc/openssh-4.3p2/README.nss, more or less unintelligible. It's README.nss in the openswan documentation which comes with the openswan-doc package. Does one really have to do this? Yes. Upstream seems to want to be FIPS 140-2 compliant. I wonder why there aren't *ANY* warnings in upstream's release notes regarding that. Sorry, we didn't catch that during QA as nobody doing so had openswan configured :) Regards, Ralph ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] upgrade to 5.4 openswan broke
Hi All, I upgraded from 5.3 to 5.4 today on a vpn gateway using openswan. After the upgrade the vpn stopped working. From what I could tell the new version of openswan uses NSS. I tried following the instructions in this thead https://bugzilla.redhat.com/show_bug.cgi?id=508107 without success. # certutil -N -d sql:/etc/ipsec.d certutil: function failed: security library: bad database. If I ran the command without the sql: like this # certutil -N -d sql:/etc/ipsec.d it would create the database files. I would then execute # modutil -fips true -dbdir /etc/ipsec.d followed by # /usr/sbin/ipsec newhostkey --configdir /etc/ipsec.d/nssdb --password password1 --output /etc/ipsec.d/host.secrets After replacing the hostkey in the file I tried to bring the connection up but the connection would not start and the following error message was in the log file. unable to locate my private key for RSA Signature sending notification AUTHENTICATION_FAILED I finally had to downgrade from openswan-2.6.21-5.el5 to openswan-2.6.14-1.el5 to get things to work. Am I missing something that is needed to make this work? Any help would be appreciated. Myron Williams ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos