Bug 1168407
Summary: | pluto dumps core with an assertion failure during connection start for a PSK-using connection | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Chris Siebenmann <cks-rhbugzilla> | ||||
Component: | libreswan | Assignee: | Paul Wouters <pwouters> | ||||
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 20 | CC: | cks-rhbugzilla, pwouters | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-03-25 22:51:02 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Chris Siebenmann
2014-11-26 20:25:11 UTC
Nov 26 14:53:47 hawkwind pluto[20875]: "/etc/ipsec.d/hostkey.secrets" line 14: CKAIDNSS keyword not found where expected in RSA key It looks like you might have copied the RSA key from an openswan non-NSS compiled version into libreswan. libreswan is trying to lookup the private key in NSS using the CKAIDNSS, but did not find it. For NSS migration of your keys/certs, please see: https://libreswan.org/wiki/Using_NSS_with_libreswan#Importing_third-party_certificates_into_NSS Of course, libreswan should not crash on this, so we will look at that as a bug. But doing this migration might resolve your issue. Aha. It's not so much that I copied hostkey.secrets explicitly, it's that I inherited it from previous versions of Fedora. This machine was installed in 2006 and has been upgraded from Fedora version to Fedora version ever since, so at some point OpenSWAN / libreswan / etc changed but this old autogenerated-on-install hostkey didn't get updated. Since it's an autogenerated host key that I don't use, I've just deleted it. Since upgrading from old Fedora versions for so long is likely quite rare, I suspect that this bug can be downgraded to a relatively unimportant status. (That this happened with a PSK but not when I switched to rsasig authentication is probably a red herring.) can you share the contents of ipsec.secrets or its include with the problematic host key? Just to confirm we understand the problem? Created attachment 962198 [details]
hoskey.secrets
/etc/ipsec.secrets is just the standard 'include /etc/ipsec.d/*.secrets'.
I've attached the hostkey.secrets file itself; as an autogenerated file that
I never used, its contents are not sensitive.
so you tried to use preshared key without a PSK entry and this old non-NSS RSA key entry? So PSK should have failed for not finding a proper PSK entry, and it somehow got stuck on the old RSA key entry? btw if just running GRE, you can increase your effective MTU by a few bytes when using Transport Mode, type=transport I had my PSK in a separate /etc/ipsec.d/key.secrets file (now not needed after I switched to RSA signatures). Both ends are F20 machines and had the PSK, but only one end was old enough to have the hostkey.secrets file and it was the only end that hit the assertion failure. I use tunnel mode for GRE because of the weird effects that GRE copying and using the underlying packet's TTL has in transport mode. For instance, traceroute over the GRE tunnel doesn't really work all that well; packets can vanish mysteriously in between the tunnel start point and end point. I cannot seem to reproduce this. Using your secrets file, I get: [root@west ~]# ipsec auto --up westnet-eastnet 002 "westnet-eastnet" #2: initiating v2 parent SA 133 "westnet-eastnet" #2: STATE_PARENT_I1: initiate 002 "westnet-eastnet" #2: transition from state STATE_IKEv2_START to state STATE_PARENT_I1 133 "westnet-eastnet" #2: STATE_PARENT_I1: sent v2I1, expected v2R1 003 "westnet-eastnet" #2: Failed to find our RSA key which is what I would expect. I'm not sure how to try and reproduce this :( Given how obscure this seems to be (and also that this was reported against Fedora 20), I suspect that it's okay to drop this bug as 'cannot reproduce, probably weird, may be gone in the latest updates'. ok, thanks |