[Swan-dev] NSS DB update

Wolfgang Nothdurft wolfgang at linogate.de
Fri Sep 12 10:40:50 EEST 2014

Am 04.09.2014 05:13, schrieb Matt Rogers:
> Hey all,
> I've pushed a branch called nss_upgrade_9_03 that has patches for pluto to start
> using an SQL format NSS database, outside of the ipsec.d dir (/var/lib/pluto by
> default). Pluto still opens the database read-only as the intent is to use
> helper programs to write to the database as needed in the future, but the
> benefit of this now is that changes to certificates get picked by a running
> pluto (i.e adding a new cert for a newly added connection previously needed a
> restart).
> The upgrade code is part of ipsec --checknss which runs each time pluto is
> started from systemd. It checks to see if you have the old format database in
> ipsec.d and no sql format database in the new location which indicates that the
> upgrade is needed. The ipsec.d files are backed up and certutil --upgrade-merge
> is called twice, to work around an NSS bug. This works for databases both with
> passwords (from ipsec.d/nsspassword) and without.
> I think this is overall a simpler solution to handling the upgrade than my
> earlier efforts of trying to handle it all within pluto. Needing to hack around
> the NSS problems made the upgrade code a mess.
> Wolfgang, I know you were using the earlier version of this so your input would
> be appreciated again as well.
> Thanks,
> Matt

Hi Matt,

we have released a firmware update for our internet appliance with 
libreswan 3.9 patched with your first version in early august.

There is no problem since then.

I have done a short test with the patch from your new branch and it 
seems ok, but unfortunately we have no scenario which uses the old 
database format to test the upgrade process.

Maybe I find some time next week to setup some test scenarios.


More information about the Swan-dev mailing list