[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

Philippe Vouters philippe.vouters at laposte.net
Thu Apr 10 20:46:05 EEST 2014


Although it is very insecure, would embedded systems be the reason of 
your xauthby=alwaysok ?
This is aside from the NSS database aspect.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

On 04/10/2014 06:37 PM, Lennart Sorensen wrote:
> On Thu, Apr 10, 2014 at 12:17:02PM -0400, Paul Wouters wrote:
>> The only part where we used openssl was for OCF userland, and these days
>> it is more expensive to offload crypto from userland to kernel than to
>> just do it in userland yourself without acceleration, even on embedded
>> hardware. So we dropped that support. It also required the non-NSS code
>> path.
> A lot of embedded systems would much rather use dedicated crypto hardware
> and save the CPU for other things (like routing and firewalling).
> But hopefully most of the heavy lifting is in the encryption of pacekts
> which is in the kernel.  Rekeying and certificate handling is hopefully
> a very small part of running ipsec.
>> Note PSKs are still in ipsec.secrets. So if you don't user certs or raw
>> RSA, you can just run: ipsec initnss at boot and forget about it. If you
>> need to add X.509 certs, "ipsec import file.p12". If you use raw rsa
>> keys, than you need to keep a persistent copy of the nss.db. Note that
>> pluto does not write to the nss db. it is used readonly.
> Well there must be a way to add the persistent raw rsa keys.  Keeping
> around the nss database would not be an option.  We use one central
> database for all config in the system with no exceptions.  Everything is
> populated at boot to where it needs to be (in a ramdisk), and whenever
> config is changed of course.

More information about the Swan-dev mailing list