1092913 – The default nss database created by ipsec can not be used

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1092913 - The default nss database created by ipsec can not be used

Summary: The default nss database created by ipsec can not be used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openswan
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	Aleš Mareček
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-30 08:57 UTC by Patrik Kis
Modified:	2014-10-14 08:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 08:19:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1588	0	normal	SHIPPED_LIVE	openswan bug fix and enhancement update	2014-10-14 01:39:53 UTC

Description Patrik Kis 2014-04-30 08:57:17 UTC

Description of problem:
Openswan created a clean NSS database at the first ipsec daemon start, but the database can not be used, and it needs to be recreated by certutil. This should be working out of the box.

Version-Release number of selected component (if applicable):
openswan-2.6.32-27.3.el6_5

How reproducible:
always

Steps to Reproduce:

[root@rhel6 ~]# rpm -q openswan
openswan-2.6.32-27.3.el6_5.x86_64
[root@rhel6 ~]# 
[root@rhel6 ~]# ls -la /etc/ipsec.d/
total 12
drwx------.  3 root root 4096 Apr 30 10:46 .
drwxr-xr-x. 82 root root 4096 Apr 30 10:46 ..
drwx------.  2 root root 4096 Apr 30 10:46 policies
[root@rhel6 ~]# 
[root@rhel6 ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-431.1.2.el6.x86_64...
ipsec_setup: multiple ip addresses, using  192.168.100.60 on eth0
[root@rhel6 ~]# ls -la /etc/ipsec.d/
total 72
drwx------.  3 root root  4096 Apr 30 10:47 .
drwxr-xr-x. 82 root root  4096 Apr 30 10:46 ..
-rw-------.  1 root root 65536 Apr 30 10:47 cert8.db
-rw-------.  1 root root 16384 Apr 30 10:47 key3.db
drwx------.  2 root root  4096 Apr 30 10:46 policies
-rw-------.  1 root root 16384 Apr 30 10:47 secmod.db
[root@rhel6 ~]# 
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets --bits 4096 --random /dev/urandom
ipsec rsasigkey: key pair generation failed: "-8037"
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec showhostkey --list
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
ipsec showhostkey "/etc/ipsec.secrets" line 2: Modulus keyword not found where expected in RSA key
[root@rhel6 ~]# cat /etc/ipsec.secrets 
: RSA	{
	}
# do not change the indenting of that "}"
[root@rhel6 ~]# 
[root@rhel6 ~]# rm -f /etc/ipsec.d/cert8.db 
[root@rhel6 ~]# certutil -N -d /etc/ipsec.d/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: no keys found
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets --bits 4096 --random /dev/urandom
Generated RSA key pair using the NSS database
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      5e288cf023374b156566945386a5f803c2fe2835   (orphan)
[root@rhel6 ~]# certutil -L -d /etc/ipsec.d/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

[root@rhel6 ~]# ipsec showhostkey --list
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
1(1): RSA keyid: AQOy2WVqU with id: (none)
1(2): RSA keyid: AQOy2WVqU with id: (none)
[root@rhel6 ~]# 


Actual results:
New keys can not be created.

Expected results:
New keys should be created.

Comment 2 Paul Wouters 2014-04-30 14:53:11 UTC

Ok, the following snippet of code should be added to the spec file in the %post section:

if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
    echo > ${TEMPFILE}
    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
    rm -f ${TEMPFILE}
fi

Comment 6 Jaroslav Aster 2014-07-24 10:16:48 UTC

I can confirm it. Problem is that bug was fixed in spec file only, so after install openswan, db files are ok, but if you remove db files and openswan is restarted, broken files are created.

Comment 7 Paul Wouters 2014-07-31 00:33:46 UTC

this is now fixed within the _plutorun script with the new "ipsec --checknss" option.

Comment 10 errata-xmlrpc 2014-10-14 08:19:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html

Note You need to log in before you can comment on or make changes to this bug.