[Swan-dev] NSS Password file "/etc/ipsec.d/nsspassword" for token "OpenDNSSEC" could not be opened for reading

Paul Wouters paul at nohats.ca
Wed Jan 22 20:47:13 UTC 2020 

On Sat, 11 Jan 2020, Paul Wouters wrote:

> I'm confused why I am seeing:
>
> 002 "ikev2-westnet-eastnet-x509-cr" #1: NSS Password file 
> "/etc/ipsec.d/nsspassword" for token "OpenDNSSEC" could not be opened for 
> reading

It turns out this is caused by /usr/lib64/p11-kit-proxy.so from p11-kit.
This pkcs#11 proxy library seems to be scanning the system for PKCS#11
providers to automatically add to the runtime NSS database. It seems to
have no regard for those NSS databases, like the one from libreswan,
which by design are not meant to be complemented with system-wide
PKCS#11 information.

I do not know if this can lead to inclusion of WebPKI based CAs. For
instance when a pin code is 0000 or omited, or when a (malicious)
application happens to be using a token name that will be accepted,
like null or "" ?

This file cannot be easilly prevented from being installed, since it
is part of p11-kit, which other packages such as ca-certificates
depend on, which in itself is depended on by a large part of the core
OS.

I do not know if this has an impact on the FIPS certification.

It seems to reduce some of the selinux based restrictions on
/etc/ipsec.d/ since certain information outside of this directory
is possibly merged into the runtime NSS database used by libreswan.

One way of disabling this is using (courtesy of freeipa who also ran
into this with their own private CA's that should not get mixed up
with other WebPKI CA's on the system(:

cat /etc/pkcs11/modules/softhsm2.module
module: /usr/lib64/pkcs11/libsofthsm2.so
disable-in: p11-kit-proxy

This will cause NSS to no longer roam the entire operating system for PKCS#11
implementations to incorporate into its NSS database.

Of course, since freeipa ran into this issue too and came up with this
workaround, libreswan cannot install the exact same file, so now we have
an interesting problem. And what happens when we have two of these kind
of files in /etc/pkcs11/modules ?

Paul

More information about the Swan-dev mailing list