Description of problem: I am trying to setup ipsec tunnels which use rsa signatures as the authby mechanism. After running certutil -N -d /etc/ipsec.d and ipsec newhostkey --output /etc/ipsec.d/ipsec.secrets, I get the following error message: ipsec rsasigkey: key pair generation failed: "-8126" Version-Release number of selected component (if applicable): ipsec-tools-0.7.2-1.fc11.x86_64 How reproducible: Always Steps to Reproduce: 1. su - root 2. certutil -n -d /etc/ipsec.d 3. ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/ipsec.secrets Actual results: ipsec-tools-0.7.2-1.fc11.x86_64 Expected results: new hostkey Additional info:
You're using tools from openswan and not ipsec-tools.
There will be a new release of Openswan in Fedora either today or tomorrow which will fix this issue.
I have this too.. I am using openswan-2.6.21-4.fc11.x86_64. I don't understand comment #1.. Is there some problem with the set of installed packages? I have ipsec-tools also, but I think this is with openswan as that is the package which has /usr/sbin/ipsec.
There is an update in fedora (2.6.21-5.fc11.x86_64). Please see if you still see the problem. Anyway, Oenswan-NSS in fedora expects sql database, so try to do certutil -n -d sql:/etc/ipsec.d if db with empty password, then ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/ipsec.secrets if with password, then, ipsec newhostkey --configdir /etc/ipsec.d --password <password> --output /etc/ipsec.d/ipsec.secrets
This update apparently hasn't been spread around enough to reach me yet. Yum doesn't see it. certutil doesn't seem to like that command by the way.. What's it supposed to do?
certutil -N -d sql:/etc/ipsec.d it should be "N" (capital) not "n"
OK, certutil -N -d sql:/etc/ipsec.d works. The second one fails: ipsec rsasigkey: key pair generation failed: "-8126"
Are you creating database with a password? Anyway, until you get the update, you can try the following, certutil -N -d sql:/etc/ipsec.d (create database with a password) modutil -fips true -dbdir sql:/etc/ipsec.d (to put the db in fips mode) ipsec newhostkey --configdir /etc/ipsec.d --password <password> --output /etc/ipsec.d/ipsec.secrets it should work now. Also, I assume if you have read README.nss, which says that you should create a "nsspassword" file in the directory /etc/ipsec.d" which contains the database password.
I am creating it with a password. Now the newhostkey command creates a ipsec.secrets containing only: : RSA { FIPS integrity verification test failed. } # do not change the indenting of that "}"
THe reason is that ipsec newhostkey expects "/dev/random" by default and it seems that "/dev/random" does not have enough entropy. try following: ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d --password <password> --output /etc/ipsec.d/ipsec.secrets
The only "README.nss" I have says nothing about a nsspassword file. The result of the command using urandom is just as before.
do you have an updated fipscheck-devel library? please try o install fipscheck-1.1.1-1.fc11, and see if you get the error again.
I already have fipscheck-1.2.0-1a.fc11.x86_64.. You want me to downgrade?
No, i will check it locally again, and get back to you. But try the latest Openswan-NSS update in fedora as soon as you get that.
Before you get the latest Openswan-NSS update, you can try following: check of you have openssl version 0.9.8k-5.fc11, i.e. latest openssl package. "prelink -u -a" (it may take sometime). and then try again.
I now get: ipsec rsasigkey: Incorrect password/PIN entered. /usr/libexec/ipsec/newhostkey: line 75: 2061 Segmentation fault ipsec rsasigkey $verbose $configdir $password $host $bits I double checked the password, it is correct.
I just checked it worked. Assume that the password is abcd try following ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d --password abcd --output /etc/ipsec.d/ipsec.secrets
I get the same: ipsec rsasigkey: Incorrect password/PIN entered. /usr/libexec/ipsec/newhostkey: line 75: 3675 Segmentation fault ipsec rsasigkey $verbose $configdir $password $host $bits I am using the password I entered in certutil per comment #4.
It is surprising. It can only happen if the provided password is wrong. I would suggest you try again from the beginning. Try to install the openswan again and create database again and then try the above comands. Just following rpm -e openswan rpm install openswan certutil -N -d sql:/etc/ipsec.d modutil -fips true -dbdir sql:/etc/ipsec.d ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d --password abcd --output /etc/ipsec.d/ipsec.secrets
erased and reinstalled.. [root@arturo ~]# certutil -N -d sql:/etc/ipsec.d Enter Password or Pin for "NSS FIPS 140-2 Certificate DB": Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: Password changed successfully. [root@arturo ~]# modutil -fips true -dbdir sql:/etc/ipsec.d WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: FIPS mode already enabled. [root@arturo ~]# ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d --password xxxxxxxx --output /etc/ipsec.d/ipsec.secrets ipsec rsasigkey: Incorrect password/PIN entered. /usr/libexec/ipsec/newhostkey: line 75: 3415 Segmentation fault ipsec rsasigkey $verbose $configdir $password $host $bits
"Password changed successfully." you are not creating a new database, you are just changing the password of the old database. I would suggest you do following cd /etc/ipsec.d rm *.db rm pkcs11.txt and then try again for creating the database.
Please also check which nss version you are using? rpm -q nss
[root@arturo ~]# rpm -q nss nss-3.12.3-4.fc11.x86_64
Removed those files, to no avail: [root@arturo ipsec.d]# certutil -N -d sql:/etc/ipsec.d Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: [root@arturo ipsec.d]# modutil -fips true -dbdir sql:/etc/ipsec.d WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: FIPS mode enabled. [root@arturo ipsec.d]# ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d --password xxxxxxx --output /etc/ipsec.d/ipsec.secrets ipsec rsasigkey: Incorrect password/PIN entered. /usr/libexec/ipsec/newhostkey: line 75: 4696 Segmentation fault ipsec rsasigkey $verbose $configdir $password $host $bits
It is working locally when I am checking so there must be something related to your system. As a last resort also check "rpm -q selinux-policy" and what is the output of the command "getenforce"
Here's an interesting thing: certutil says "The password should be at least 8 characters long, and should contain at least one non-alphabetic character." - okay so if I use "password1": [root@arturo ipsec.d]# ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d --password password1 --output /etc/ipsec.d/ipsec.secrets Generated RSA key pair using the NSS database ..No problem! So it's not that the password "should" be 8 characters and one non-alphabetic character, it's that it "MUST" be.
(In reply to comment #10) > THe reason is that ipsec newhostkey expects "/dev/random" by default and it > seems that "/dev/random" does not have enough entropy. > > try following: > > ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d --password > <password> --output > /etc/ipsec.d/ipsec.secrets NO! /dev/urandom should NEVER be used for long term keys (eg openswan RSA keys) and should only be used for shorter lived keys, such as session keys. Openswan uses /dev/urandom where it is safe, and /dev/random where it should. Changing any of that behaviour is just wrong. NSS should be made to work properly with /dev/random
Hi Paul, NSS does not change the way /dev/random or /dev/urandom is used. Thanks Avesh
This is tested in the latest Openswan verison, and the issue does not appear now. So I am closing this, and please reopen if you see this issue again. Thanks for reporting the issue.
I'm experiencing this problem with a new Fedora 11 install that has been brought up to date with yum. Specific packages installed: openswan-doc-2.6.24-1.fc11.i586 openswan-2.6.24-1.fc11.i586 nss-3.12.6-1.2.fc11.i586 nss-tools-3.12.6-1.2.fc11.i586 Based on the advice in these messages I have compiled a (re)install procedure: yum remove openswan -y rm -rf /etc/ipsec* yum install openswan openswan-doc nss-tools -y certutil -N -d /etc/ipsec.d modutil -fips true -dbdir sql:/etc/ipsec.d ipsec newhostkey --output /etc/ipsec.d/ipsec.secrets --configdir /etc/ipsec.d --password password1 --random /dev/urandom more /etc/ipsec.d/ipsec.secrets The end result is a file that looks like: : RSA { FIPS integrity verification test failed. } # do not change the indenting of that "}" I have been unable to ascertain what exactly is going on in the FIPSCHECK_verify method that is triggering this error.
On an additional note, is there a de-facto reference for installing Openswan on Fedora 11 taking into account the FIPS, NSS and other requirements imposed by the platform?
Did you try as suggested in the comment 15? That may be helpful I think.
I could not locate the package that installs the prelink command, and it is not installed by default.
Scott, that is strange, the package is actually called prelink: prelink.x86_64 : An ELF prelinking utility I think you may have problems with you repository configuration. You can also manually download prelink builds here: http://koji.fedoraproject.org/koji/packageinfo?packageID=583