[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Thu Apr 10 19:37:38 EEST 2014

On Thu, Apr 10, 2014 at 12:17:02PM -0400, Paul Wouters wrote:
> The only part where we used openssl was for OCF userland, and these days
> it is more expensive to offload crypto from userland to kernel than to
> just do it in userland yourself without acceleration, even on embedded
> hardware. So we dropped that support. It also required the non-NSS code
> path.

A lot of embedded systems would much rather use dedicated crypto hardware
and save the CPU for other things (like routing and firewalling).
But hopefully most of the heavy lifting is in the encryption of pacekts
which is in the kernel.  Rekeying and certificate handling is hopefully
a very small part of running ipsec.

> Note PSKs are still in ipsec.secrets. So if you don't user certs or raw
> RSA, you can just run: ipsec initnss at boot and forget about it. If you
> need to add X.509 certs, "ipsec import file.p12". If you use raw rsa
> keys, than you need to keep a persistent copy of the nss.db. Note that
> pluto does not write to the nss db. it is used readonly.

Well there must be a way to add the persistent raw rsa keys.  Keeping
around the nss database would not be an option.  We use one central
database for all config in the system with no exceptions.  Everything is
populated at boot to where it needs to be (in a ramdisk), and whenever
config is changed of course.

Len Sorensen

More information about the Swan-dev mailing list