Fix NSS config

- Update NSS config on e.g. AlmaLinux 9 to allow the SHA1 signature algorithm. This fixes the issue where IKEv2 clients cannot connect. - Fixes #1206.
2024-06-20 04:36:29 +02:00 · 2022-07-31 23:40:09 -05:00 · 2022-07-31 23:40:09 -05:00 · 95be4b83fb
commit 95be4b83fb
parent 0fe30b0479
1 changed files with 11 additions and 0 deletions
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -608,6 +608,16 @@ update_iptables() {
  fi
 }

+fix_nss_config() {
+  nss_conf="/etc/crypto-policies/back-ends/nss.config"
+  if [ -s "$nss_conf" ]; then
+    if ! grep -q ":SHA1:" "$nss_conf" \
+      && ! grep -q " allow=SHA1:" "$nss_conf"; then
+      sed -i "/ALL allow=/s/ allow=/ allow=SHA1:/" "$nss_conf"
+    fi
+  fi
+}
+
 apply_gcp_mtu_fix() {
  if dmidecode -s system-product-name 2>/dev/null | grep -qi 'Google Compute Engine' \
    && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -qi 'mtu 1460'; then
@ -754,6 +764,7 @@ vpnsetup() {
  fi
  update_sysctl
  update_iptables
+  fix_nss_config
  apply_gcp_mtu_fix
  enable_on_boot
  start_services