[Swan-dev] nss updates, addcon bug #86 and libreswan 3.9 release

Matt Rogers mrogers at redhat.com
Wed May 28 18:04:46 EEST 2014

On 05/28, Wolfgang Nothdurft wrote:
> Hi Matt,
> I've tested the nss_updates branch and it works good.
> I have updated your changes to the actual master branch if needed.
> The only problem is, if you renew a certificate, libreswan holds the
> old one.
> The problem seems the missing CERT_DestroyCertificate in load_cert_from_nss.
> With this change it work properly.
> Will the nss_updates integrated in libreswan 3.9?
> @Paul
> Any comment on my patch for Bug #86
> (https://bugs.libreswan.org/show_bug.cgi?id=86) ?
> Are there any plans when 3.9 will be released? ;)
> Wolfgang

> diff --git a/lib/libswan/certload.c b/lib/libswan/certload.c
> index 509f000..bde45eb 100644
> --- a/lib/libswan/certload.c
> +++ b/lib/libswan/certload.c
> @@ -324,6 +324,7 @@ bool load_cert_from_nss(bool forcedtype, const char *nssHostCertNickName,
>  	blob.len = nssCert->derCert.len;
>  	blob.ptr = alloc_bytes(blob.len, label);
>  	memcpy(blob.ptr, nssCert->derCert.data, blob.len);
> +	CERT_DestroyCertificate(nssCert);
>  	if (is_asn1(blob)) {
>  		DBG(DBG_PARSING, DBG_log("file coded in DER format"));

Thanks Wolfgang! I've diverted a bit from the nss_updates branch because we
ultimately don't want pluto and/or helper binaries writing to CONFDDIR but
instead a spot like /var/lib/ipsec. NSS is supposed to be able to migrate an
existing DB+certs to the new format in a new spot at initialization time, 
which is the ideal solution for our users (and avoids needing more startup
scripts). But right now there's an NSS bug that gets in the way of the initial
migration. Take a look at the test program I threw together in
nssdb_upgrade_test branch for more details.

However once we are running with the new DB your patch will be useful. There
will probably be some more changes like this needed in the x509 code once we can
test adding/removing certs on the fly.


More information about the Swan-dev mailing list