Bug 1092913 - The default nss database created by ipsec can not be used
The default nss database created by ipsec can not be used
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan (Show other bugs)
6.5
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Paul Wouters
Aleš Mareček
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-30 04:57 EDT by Patrik Kis
Modified: 2014-10-14 04:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 04:19:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1588 normal SHIPPED_LIVE openswan bug fix and enhancement update 2014-10-13 21:39:53 EDT

  None (edit)
Description Patrik Kis 2014-04-30 04:57:17 EDT
Description of problem:
Openswan created a clean NSS database at the first ipsec daemon start, but the database can not be used, and it needs to be recreated by certutil. This should be working out of the box.

Version-Release number of selected component (if applicable):
openswan-2.6.32-27.3.el6_5

How reproducible:
always

Steps to Reproduce:

[root@rhel6 ~]# rpm -q openswan
openswan-2.6.32-27.3.el6_5.x86_64
[root@rhel6 ~]# 
[root@rhel6 ~]# ls -la /etc/ipsec.d/
total 12
drwx------.  3 root root 4096 Apr 30 10:46 .
drwxr-xr-x. 82 root root 4096 Apr 30 10:46 ..
drwx------.  2 root root 4096 Apr 30 10:46 policies
[root@rhel6 ~]# 
[root@rhel6 ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-431.1.2.el6.x86_64...
ipsec_setup: multiple ip addresses, using  192.168.100.60 on eth0
[root@rhel6 ~]# ls -la /etc/ipsec.d/
total 72
drwx------.  3 root root  4096 Apr 30 10:47 .
drwxr-xr-x. 82 root root  4096 Apr 30 10:46 ..
-rw-------.  1 root root 65536 Apr 30 10:47 cert8.db
-rw-------.  1 root root 16384 Apr 30 10:47 key3.db
drwx------.  2 root root  4096 Apr 30 10:46 policies
-rw-------.  1 root root 16384 Apr 30 10:47 secmod.db
[root@rhel6 ~]# 
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets --bits 4096 --random /dev/urandom
ipsec rsasigkey: key pair generation failed: "-8037"
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec showhostkey --list
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
ipsec showhostkey "/etc/ipsec.secrets" line 2: Modulus keyword not found where expected in RSA key
[root@rhel6 ~]# cat /etc/ipsec.secrets 
: RSA	{
	}
# do not change the indenting of that "}"
[root@rhel6 ~]# 
[root@rhel6 ~]# rm -f /etc/ipsec.d/cert8.db 
[root@rhel6 ~]# certutil -N -d /etc/ipsec.d/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: no keys found
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets --bits 4096 --random /dev/urandom
Generated RSA key pair using the NSS database
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      5e288cf023374b156566945386a5f803c2fe2835   (orphan)
[root@rhel6 ~]# certutil -L -d /etc/ipsec.d/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

[root@rhel6 ~]# ipsec showhostkey --list
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
1(1): RSA keyid: AQOy2WVqU with id: (none)
1(2): RSA keyid: AQOy2WVqU with id: (none)
[root@rhel6 ~]# 


Actual results:
New keys can not be created.

Expected results:
New keys should be created.
Comment 2 Paul Wouters 2014-04-30 10:53:11 EDT
Ok, the following snippet of code should be added to the spec file in the %post section:

if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
    echo > ${TEMPFILE}
    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
    rm -f ${TEMPFILE}
fi
Comment 6 Jaroslav Aster 2014-07-24 06:16:48 EDT
I can confirm it. Problem is that bug was fixed in spec file only, so after install openswan, db files are ok, but if you remove db files and openswan is restarted, broken files are created.
Comment 7 Paul Wouters 2014-07-30 20:33:46 EDT
this is now fixed within the _plutorun script with the new "ipsec --checknss" option.
Comment 10 errata-xmlrpc 2014-10-14 04:19:30 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html

Note You need to log in before you can comment on or make changes to this bug.