[Swan] NSS transition questions
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Fri May 24 17:11:32 EEST 2013
On Thu, May 23, 2013 at 06:07:02PM -0400, Paul Wouters wrote:
> Private cryptographic keys must be stored now in the NSS db.
> Preshared keys can still reside in /etc/ipsec.secrets or its include files
>
> Public certificates can be placed into /etc/ipsec.d/certs but this will
> go away in the near future
>
> Public CA certificates can be placed into /etc/ipsec.d/cacerts/ but this
> will go away in the near future
>
> CRLs can be placed into /etc/ipsec.d/crlts but this will go away in the
> near future.
>
> The reason for this is that we have a lot of custom ASN.1/X.509 parsing
> code that is old, does not support upcoming and new algorithms and
> hashes, and has no concept of FIPS restrictions. If we use NSS, then all
> of that is done for us, and is actively maintained and extended for us
> to use.
How does FIPS enter into the parsing code?
--
Len Sorensen
More information about the Swan
mailing list