Bug 509583 - NSS support in Openswan breaks Pre-shared key support
Summary: NSS support in Openswan breaks Pre-shared key support
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: openswan
Version: 11
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Avesh Agarwal
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 507844
Blocks: 517000
TreeView+ depends on / blocked
 
Reported: 2009-07-03 18:51 UTC by Tuomo Soini
Modified: 2010-01-05 16:41 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 509584 (view as bug list)
Environment:
Last Closed: 2010-01-05 16:41:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tuomo Soini 2009-07-03 18:51:27 UTC 
NSS support which was added to openswan by Red Hat breaks Pre-shared key support for ipsec.

Pre-shared key authentication is required minimum part of ipsec.

If it's not possible to do it with nss, it must be implemented outside of nss.

Disabling authby=secret makes it nearly impossible to interoperate with major part of ipsec implementations.

Please fix this immidiately by not building with nss or by fixing nss to support pre shared key authentication.
Comment 1 Paul Wouters 2009-07-03 18:59:58 UTC 
I have to agree here. I am not looking forward to people contacting openswan on the mailinglists and irc channels looking to see why their F-10 -> F-11 completely breaks their tunnels. I'm pretty sure this would not be allowed for EL-x to EL-x+1
Comment 2 Avesh Agarwal 2009-07-03 19:20:15 UTC 
Hi,

There is already a redhat bz 507844 to address this issue, and also a fix in place. I will make a release soon and will send the patch to Paul. With that, everything which works without NSS should work with NSS.

Thanks
Avesh
Comment 3 Avesh Agarwal 2009-08-18 13:55:10 UTC 
Fix for this is already there in the Fedora.
Comment 4 Miroslav Vadkerti 2010-01-05 14:43:32 UTC 
Avesh, 

is this still an issue?
Comment 5 Avesh Agarwal 2010-01-05 14:50:15 UTC 
I just verified and it is fixed already.
Note You need to log in before you can comment on or make changes to this bug.