From 95be4b83fba91d8c322ccd35c3b1e40cbf850f01 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sun, 31 Jul 2022 23:40:09 -0500
Subject: [PATCH] Fix NSS config

- Update NSS config on e.g. AlmaLinux 9 to allow the SHA1 signature
  algorithm. This fixes the issue where IKEv2 clients cannot connect.
- Fixes #1206.
---
 vpnsetup_centos.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 292929b..cbd083a 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -608,6 +608,16 @@ update_iptables() {
   fi
 }
 
+fix_nss_config() {
+  nss_conf="/etc/crypto-policies/back-ends/nss.config"
+  if [ -s "$nss_conf" ]; then
+    if ! grep -q ":SHA1:" "$nss_conf" \
+      && ! grep -q " allow=SHA1:" "$nss_conf"; then
+      sed -i "/ALL allow=/s/ allow=/ allow=SHA1:/" "$nss_conf"
+    fi
+  fi
+}
+
 apply_gcp_mtu_fix() {
   if dmidecode -s system-product-name 2>/dev/null | grep -qi 'Google Compute Engine' \
     && ifconfig 2>/dev/null | grep "$NET_IFACE" | head -n 1 | grep -qi 'mtu 1460'; then
@@ -754,6 +764,7 @@ vpnsetup() {
   fi
   update_sysctl
   update_iptables
+  fix_nss_config
   apply_gcp_mtu_fix
   enable_on_boot
   start_services