Re: openswan is unusable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Oct 30, 2010 at 01:45:14PM -0400, Tom Horsley wrote:
> On Sat, 30 Oct 2010 13:08:38 -0400
> David A. De Graaf wrote:
> 
> > Can anyone give a clue how to access this very well hidden private key?
> > Google can't.
> 
> A substitute for documentation can sometime be found by running the
> program under strace to log all attempts to open files, then you can at
> least find out what places it is looking for things :-).
> 

Thanks, Tom, but further depths of googling led me to discover
<doc>/README.nss where I found a hint.

The whole NSS password mess can be bypassed by NOT supplying a password
when creating the NSS db, eg

  certutil -N -d /etc/ipsec.d
      (just hit enter when prompted for a password)

Then create the RSA key without mentioning the --password option:
  ipsec newhostkey --configdir /etc/ipsec.d  \
    --output /etc/ipsec.d/ipsec.secrets
and continue normally to create the net2net.conf file containing the
left and right rsasigkey's.

My tunnel now connects properly.  Eureka.


As an aside, I wish we didn't have to find "A substitute for
documentation".  In the openswan case we have too much.  Too much to
repair when change happens.  The Freeswan Project, before its demise,
had writers who seemed to be English majors, and left us with tons of
glorious prose that was a joy to read.  Unfortunately, when somebody
decides to add another obscure and impenetrable layer of "security",
they don't have the patience to fix the documentation.  Instead, we are
left with incorrect instructions plus a cryptic README.nss file.

The openswan system is complex enough.  Having incorrect documentation
is maddening.  (Yeah, I know.  I should fix it, or shut up.)


-- 
	David A. De Graaf    DATIX, Inc.    Hendersonville, NC
	dad@xxxxxxxx         www.datix.us
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux