[Swan] libreswan smartcards unexpected side effects

Ian Willis ian at checksum.net.au
Tue May 3 09:57:12 EEST 2022

Thanks Paul,
I will have a look at the impact of removing this file. 
On a somewhat related note, is it reasonable and possible to do
something like the following
Store IPSEC host keys in TPM and allowing the IPSEC link to be made
live on system startup so that the system can participate on a private
network and access non-public resources. 
-----Original Message-----From: Paul Wouters <paul at nohats.ca>To: Ian
Willis <ian at checksum.net.au>Cc: Swan at lists.libreswan.orgSubject: Re:
[Swan] libreswan smartcards unexpected side effectsDate: Mon, 2 May
2022 15:22:52 -0400 (EDT)
On Fri, 29 Apr 2022, Ian Willis wrote:
> So far it appears to just be the card reader itself which causes the
> issue.It also appears to cause issues with Firefox which becomes
> unresponsive evenafter the card reader is removed.

See  /etc/crypto-policies/local.d/nss-p11-kit.config
It is p11-kit-proxy that pulls in the "system defaults" I believe.My
guess is if you delete/rename that file, it should no longer tryto any
hardware within libreswan (or other nss apps!)

> [34032.370329] usb 1-2.1.3: new full-speed USB device number 17
> usingxhci_hcd[34032.631033] usb 1-2.1.3: New USB device found,
> idVendor=096e,idProduct=060d, bcdDevice= 3.52[34032.631036] usb 1-
> 2.1.3: New USB device strings: Mfr=1,
> Product=2,SerialNumber=3[34032.631038] usb 1-2.1.3: Product:
> R502[34032.631039] usb 1-2.1.3: Manufacturer: Feitian[34032.631040]
> usb 1-2.1.3: SerialNumber: F6325B88290000F5[34066.200951] usb 1-
> 2.1.3: USB disconnect, device number 17
> Currently looking through https://access.redhat.com/articles/4253861
> to gaina bit more insight on this and will probably just use an alternative reader.
> Kind Regards
> -----Original Message-----From: Paul Wouters <paul at nohats.ca>To: Ian
> Willis <ian at checksum.net.au>Cc: Swan at lists.libreswan.org
> Subject: Re: [Swan] libreswan smartcards unexpected side effectsDate:
> Thu, 28 Apr 2022 22:37:27 +0200
> There is an nss automatic hardware module loader config that makes
> system wide hooks available in nss that can be disabled in /etc with
> some option but I don’t remember exactly which one and a quick google
> didn’t help me. I ran into it when I installed open dnssec that
> installed softhsm and then Pluto’s nss also read it the softhsm
> stored as part of nss.
> Sent using a virtual keyboard on a phone
> On Apr 28, 2022, at 16:34, Ian Willis <
> ian at checksum.net.au
> > wrote:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220503/7e574793/attachment.htm>

More information about the Swan mailing list