Bug 509583 - NSS support in Openswan breaks Pre-shared key support
NSS support in Openswan breaks Pre-shared key support
Product: Fedora
Classification: Fedora
Component: openswan (Show other bugs)
All Linux
low Severity urgent
: ---
: ---
Assigned To: Avesh Agarwal
Fedora Extras Quality Assurance
Depends On: 507844
Blocks: 517000
  Show dependency treegraph
Reported: 2009-07-03 14:51 EDT by Tuomo Soini
Modified: 2010-01-05 11:41 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 509584 (view as bug list)
Last Closed: 2010-01-05 11:41:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tuomo Soini 2009-07-03 14:51:27 EDT
NSS support which was added to openswan by Red Hat breaks Pre-shared key support for ipsec.

Pre-shared key authentication is required minimum part of ipsec.

If it's not possible to do it with nss, it must be implemented outside of nss.

Disabling authby=secret makes it nearly impossible to interoperate with major part of ipsec implementations.

Please fix this immidiately by not building with nss or by fixing nss to support pre shared key authentication.
Comment 1 Paul Wouters 2009-07-03 14:59:58 EDT
I have to agree here. I am not looking forward to people contacting openswan on the mailinglists and irc channels looking to see why their F-10 -> F-11 completely breaks their tunnels. I'm pretty sure this would not be allowed for EL-x to EL-x+1
Comment 2 Avesh Agarwal 2009-07-03 15:20:15 EDT

There is already a redhat bz 507844 to address this issue, and also a fix in place. I will make a release soon and will send the patch to Paul. With that, everything which works without NSS should work with NSS.

Comment 3 Avesh Agarwal 2009-08-18 09:55:10 EDT
Fix for this is already there in the Fedora.
Comment 4 Miroslav Vadkerti 2010-01-05 09:43:32 EST

is this still an issue?
Comment 5 Avesh Agarwal 2010-01-05 09:50:15 EST
I just verified and it is fixed already.

Note You need to log in before you can comment on or make changes to this bug.