[Swan] moving from openswan to libreswan

Paul Wouters paul at nohats.ca
Tue Oct 7 23:19:20 EEST 2014


On Tue, 7 Oct 2014, Fisher Kernel wrote:

> First timer on the list so, first of all, thanks for libreswan!
> You guys are doing a wonderful job.

Thanks! and welcome!

> I'm currently in the process of moving from openswan to libreswan
> and wanted to share three notes from my log book.

These kind of notes are very welcome. It helps us to make migration
easier for everyone, and we don't have everyone's specific setup
details.

> 1) whack rereadall doesn't reload nss certificates.
> This has been brought up before:
> https://lists.libreswan.org/pipermail/swan/2014/000707.html
> As the previous author this is something I'm also interested in.

Matt is working on that. To be able to automatically read updates to
the NSS database, we need to use the "new" sql format. For that we
need to migrate the existing nss db into the new format. Matt has
working concept code that we hope to merge in soon. Once that code
is in, pluto will automatically be able to access updates made inside
the NSS database. (additionally, you would no longer need to specify
a line in ipsec.secrets for the private key)

> 2) crl verification needs curl.
> I have my crls in the crls folder.
> I compiled without curl and noticed that crl verification didn't happen.
> From what I remember, things looked good from the logs.
> No sign that verification was off.
> But in verify_x509cert there is an ifdef around verify_by_crl.
> #if defined(LIBCURL) || defined(LDAP_VER)

I believe once the above is done, we will also get runtime CRL updates
for free by just adding those into the nss db. But you are right that
we should really read the CRLs in /etc/ipsec.d/crls when rereadall
is used. For non-file based CRLs, an outside program (not pluto itself)
will handle updating the nss db with new CRLs, so we can keep running
pluto in readonly on the nss db.

> 3) missing git tag v3.10.
> Can there be one for 3.11?

I'll push the tag.

Paul


More information about the Swan mailing list