Fedora 11 Openswan IPSEC VPN - How to disable NSS and FIPS now enabled by default??

tfar-4 · #1 20th June 2009, 01:31 AM

Openswan 2.6.21-4 in Fedora 11 has NSS crypto library enabled by default. This breaks the existing certificate and key configuration after an upgrade from Fedora 10.

Does anyone know how to either disable NSS for Openswan by a configuration change without having to recompile Openswan or alternatively how to import existing certs and keys into NSS so that a current Openswan road warrior configuration can continue to be used?

I ask this question here rather than the Openswan Forum because Openswan use of NSS is very sparsely documented and does not appear to be an active topic in the Openswan lists. It looks like Fedora developers have taken this decision before the Openswan team have given NSS and FIPS much consideration at all. There is no mention of the change in the Release Notes for Fedora 11. I would not have upgraded if I had known this change to Openswan in Fedora 11 had been made. But there must be many more users like me for whom Openswan is a critical app so maybe we need to find a solution to enable Fedora 11 to remain compatible with existing networks.

Tony

pwouters · #2 20th June 2009, 04:56 PM

You will have to recompile openswan. The easiest is to do:

yum install yum-utils
yumdownloader --source openswan
rpm -ihv openswan-*.src.rpm

edit openswan.spec and find the bit where it says

USE_LIBNSS="true" \
USE_FIPSCHECK="true" \

and set those to false, then recompile using rpmbuild -bb openswan.spec

We added a %{buildnss} option that can be used to disable/enable it using
rpmbuild --define 'buildnss=0' but I am not sure if that made it into redhat's spec file.

tfar-4 · #3 20th June 2009, 11:41 PM

Thanks Paul, I should have known it would be you who would respond. The spec file does not define LIB_NSS only FIPSCHECK. So I have set USE_FIPSCHECK to 0 and rebuilt the RPM packages. I am not familiar enough with building rpms to know whether it is only a matter of also commenting the nss patch to effectively disable nss as well. I will test the rpm file variations I come up with on a non production critical laptop later in the day when I have more time available.

In the meantime I have reinstalled the F10 rpm for Openswan on my production workstation using the --oldpackage option and Openswan is working well again. That is not a suitable long term solution of course but keeps me going in the meantime.

Tony

tfar-4 · #4 22nd June 2009, 10:31 AM

Rebuilding the F11 Openswan RPM with USE_FIPSCHECK=0 and with the nss.patch commented out in the spec file does restore Openswan to using the existing certs and keys without NSS support. I guess I its time to start reading up on Network Security Services if it's the way of the future.

jschilen · #5 6th November 2009, 02:57 AM

I haven't gotten too far with it yet but I was just able to create the NSS db with:
certutil -N -d /etc/ipsec.d
Then import my pfx file to it with
pk12util -i myfile.pfx -d /etc/ipsec.d

Now on to try to make it work with our vpn...

jschilen · #6 6th November 2009, 02:57 AM

I haven't gotten too far with it yet but I was just able to create the NSS db with:
certutil -N -d /etc/ipsec.d
Then import my pfx file to it with
pk12util -i myfile.pfx -d /etc/ipsec.d

Now on to try to make it work with our vpn...