Bug 725699

Summary: Pluto crashes with NSS DH "slot null" error
Product: Red Hat Enterprise Linux 5 Reporter: Kevin Keane <subscription>
Component: openswanAssignee: Avesh Agarwal <avagarwa>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.6CC: jrieden, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-03 16:11:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kevin Keane 2011-07-26 10:33:22 UTC 
Description of problem:

My system is connecting to a Sonicwall TZ 100. The connection works when using a PSK and the NSS cert DB is empty.

When I add a certificate to the database, Pluto crashes as soon as the peer tries to establish a connection (even when the connection is still configured for PSK and doesn't actually use the certificates).

The error message indicates: packet from 68.111.234.25:500: NSS: slot for DH key gen is NULL



Version-Release number of selected component (if applicable):

openswan-2.6.21-5.el5_6.4

Installed from standard RPM.

Kernel is 2.6.35.4-rscloud #8 SMP Mon Sep 20 15:54:33 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:


Steps to Reproduce:
1. set up Openswan (I will upload details shortly)
2. 
3.
  
Actual results:

Pluto crashes and restarts with error message "packet from 68.111.234.25:500: NSS: slot for DH key gen is NULL"

Expected results:

Pluto does not restart. Pluto should gracefully handle this error situation and either produce a useful error message, or resolve the error internally.

Additional info:

This is on a Rackspace cloud server. Thus, the kernel is non-standard but Rackspace proprietary.
Comment 1 Kevin Keane 2011-07-30 05:41:50 UTC 
The root cause that triggered this situation was a configuration error. My nsspassword file contained the text:

NSS FIPS 140-2 Certificate DB:XXXXXXXX

instead of just the password by itself.

There are thus three separate problems:

- An incorrect password should not cause pluto to crash.
- Pluto should produce a more meaningful error message than "slot for DH key gen is NULL"
- The correct nsspassword format either needs to be documented more clearly, or (preferred)it needs to handle the format I used. The incorrect format is apparently for an older version of openswan and easily discovered via Google in posts to the openswan mailing lists. For instance: http://lists.openswan.org/pipermail/users/2009-October/017697.html

The correct format is not as easy to discover.