On Sat, Oct 30, 2010 at 01:45:14PM -0400, Tom Horsley wrote:
> On Sat, 30 Oct 2010 13:08:38 -0400
> David A. De Graaf wrote:
>
> > Can anyone give a clue how to access this very well hidden private key?
> > Google can't.
>
> A substitute for documentation can sometime be found by running the
> program under strace to log all attempts to open files, then you can at
> least find out what places it is looking for things :-).
>
Thanks, Tom, but further depths of googling led me to discover
<doc>/README.nss where I found a hint.
The whole NSS password mess can be bypassed by NOT supplying a password
when creating the NSS db, eg
certutil -N -d /etc/ipsec.d
(just hit enter when prompted for a password)
Then create the RSA key without mentioning the --password option:
ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/ipsec.secrets
and continue normally to create the net2net.conf file containing the
left and right rsasigkey's.
My tunnel now connects properly. Eureka.
As an aside, I wish we didn't have to find "A substitute for
documentation". In the openswan case we have too much. Too much to
repair when change happens. The Freeswan Project, before its demise,
had writers who seemed to be English majors, and left us with tons of
glorious prose that was a joy to read. Unfortunately, when somebody
decides to add another obscure and impenetrable layer of "security",
they don't have the patience to fix the documentation. Instead, we are
left with incorrect instructions plus a cryptic README.nss file.
The openswan system is complex enough. Having incorrect documentation
is maddening. (Yeah, I know. I should fix it, or shut up.)
--
David A. De Graaf DATIX, Inc. Hendersonville, NC
dad@xxxxxxxx www.datix.us
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
