[Swan-dev] NSS DB update

Matt Rogers mrogers at redhat.com
Thu Sep 4 06:13:54 EEST 2014

Hey all,

I've pushed a branch called nss_upgrade_9_03 that has patches for pluto to start
using an SQL format NSS database, outside of the ipsec.d dir (/var/lib/pluto by
default). Pluto still opens the database read-only as the intent is to use
helper programs to write to the database as needed in the future, but the
benefit of this now is that changes to certificates get picked by a running
pluto (i.e adding a new cert for a newly added connection previously needed a

The upgrade code is part of ipsec --checknss which runs each time pluto is
started from systemd. It checks to see if you have the old format database in
ipsec.d and no sql format database in the new location which indicates that the
upgrade is needed. The ipsec.d files are backed up and certutil --upgrade-merge
is called twice, to work around an NSS bug. This works for databases both with
passwords (from ipsec.d/nsspassword) and without.

I think this is overall a simpler solution to handling the upgrade than my
earlier efforts of trying to handle it all within pluto. Needing to hack around
the NSS problems made the upgrade code a mess.

Wolfgang, I know you were using the earlier version of this so your input would
be appreciated again as well.


More information about the Swan-dev mailing list