[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

[Paul Wouters]

On Thu, 10 Apr 2014, Lennart Sorensen wrote:

>> We understand the pain of having to add NSS to embedded platforms. But
>> there is really no alternative. The only switching that is possible
>> would be from NSS to openssl. It would make life easier on embedded
>> platforms that already need openssl. But for us it adds the overhead
>> of all the certificate loading/parsing code as openssl does not have
>> the same concept as the NSS DB for a "store" of cryptographic information.
>
> So any work on the openssl option that paul mentioned about a year ago
> as a future option?  Of course openssl's crazy license makes trouble
> for some projects too.

The only part where we used openssl was for OCF userland, and these days
it is more expensive to offload crypto from userland to kernel than to
just do it in userland yourself without acceleration, even on embedded
hardware. So we dropped that support. It also required the non-NSS code
path.

> Of course I am wondering what kind of work will be involved in generating
> the nss database each boot from the configuration database.  Probably not
> too hard.

Note PSKs are still in ipsec.secrets. So if you don't user certs or raw
RSA, you can just run: ipsec initnss at boot and forget about it. If you
need to add X.509 certs, "ipsec import file.p12". If you use raw rsa
keys, than you need to keep a persistent copy of the nss.db. Note that
pluto does not write to the nss db. it is used readonly.

Paul