[Swan-dev] libreswan in debian - Ondřej offered to help (fwd)

Paul Wouters paul at nohats.ca
Wed Jun 22 23:41:59 UTC 2016


On Wed, 22 Jun 2016, Daniel Kahn Gillmor wrote:

> To: Paul Wouters <paul at nohats.ca>
> Subject: Re: libreswan in debian - Ondřej offered to help (fwd)
> 
> On Mon 2016-06-20 13:25:26 -0400, Paul Wouters wrote:
>> The VTI stuff is bleeding edge. So I can understand KLIPS users want to
>> still use it for a few more releases. We get frequent requests about
>> KLIPS. Anyway, if you're the maintainer we can do without KLIPS and
>> see what happens.
>
> Let's start it that way.  If that works for some folks, but others rally
> around KLIPS, then we can add it in.  It's much easier to go in that
> direction than to take something away from even a tiny number of people
> once they've come to expect it :)

Okay.

> OK, i'll modify debian to make it use /var/lib/ipsec/nss for the nss
> directory.

Ok.

>> And maybe just rename --configdir to --nssdir (and leave the old name
>> undocumented)
>
> I'm happy to have --nssdir be the formal name for all of the subcommands
> which need it.  What i don't want is for that configuration parameter to
> influence other file locaions.
>
> What option will libreswan use to look for policies/ and passwd and
> nsspassword ?  (and cacerts/ and crls/ for as long as those remain an
> option)

That would remain --ipsecdir

>> No one should call rsasigkey directly, it is supposed to go through the
>> newhostkey wrapper. Which you suggested above could cause the nss init.
>
> Maybe it should be named _rsasigkey then?

Yes, it should have been :)
Let's hope it goes away when we start adding support for non-RSA keys
too :)

> the EXAMPLES section in ipsec_rsasigkey(8) shows:
>
>  ipsec rsasigkey --verbose 4096 >mykey.txt
>
> but of course that fails...

It does? It works for me. If you specify --configdir then it does need
to get the sql: prefix unfortunately. We do need to fix our tools to
always add that to a prefix if not there.

Paul


More information about the Swan-dev mailing list