Hide Forgot
Description of problem: My system is connecting to a Sonicwall TZ 100. The connection works when using a PSK and the NSS cert DB is empty. When I add a certificate to the database, Pluto crashes as soon as the peer tries to establish a connection (even when the connection is still configured for PSK and doesn't actually use the certificates). The error message indicates: packet from 68.111.234.25:500: NSS: slot for DH key gen is NULL Version-Release number of selected component (if applicable): openswan-2.6.21-5.el5_6.4 Installed from standard RPM. Kernel is 2.6.35.4-rscloud #8 SMP Mon Sep 20 15:54:33 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux How reproducible: Steps to Reproduce: 1. set up Openswan (I will upload details shortly) 2. 3. Actual results: Pluto crashes and restarts with error message "packet from 68.111.234.25:500: NSS: slot for DH key gen is NULL" Expected results: Pluto does not restart. Pluto should gracefully handle this error situation and either produce a useful error message, or resolve the error internally. Additional info: This is on a Rackspace cloud server. Thus, the kernel is non-standard but Rackspace proprietary.
The root cause that triggered this situation was a configuration error. My nsspassword file contained the text: NSS FIPS 140-2 Certificate DB:XXXXXXXX instead of just the password by itself. There are thus three separate problems: - An incorrect password should not cause pluto to crash. - Pluto should produce a more meaningful error message than "slot for DH key gen is NULL" - The correct nsspassword format either needs to be documented more clearly, or (preferred)it needs to handle the format I used. The incorrect format is apparently for an older version of openswan and easily discovered via Google in posts to the openswan mailing lists. For instance: http://lists.openswan.org/pipermail/users/2009-October/017697.html The correct format is not as easy to discover.