[Swan] libreswan smartcards unexpected side effects

Paul Wouters paul at nohats.ca
Tue May 3 16:20:18 EEST 2022 

On Tue, 3 May 2022, Ian Willis wrote:

> I will have a look at the impact of removing this file.
> 
> On a somewhat related note, is it reasonable and possible to do something
> like the following
> 
> Store IPSEC host keys in TPM and allowing the IPSEC link to be made live on
> system startup so that the system can participate on a private network and
> access non-public resources.

You can, but then you _will_ need to use that proxy method to get NSS to
pick up hardware stores automatically.

There is an "older" method by telling nss where the hardware is in the
libreswan nss files, eg see https://libreswan.org/wiki/Hardware_Tokens
that uses yubikey.

Paul

> Regards
> Ian
> 
> -----Original Message-----
> From: Paul Wouters <paul at nohats.ca>
> To: Ian Willis <ian at checksum.net.au>
> Cc: Swan at lists.libreswan.org
> Subject: Re: [Swan] libreswan smartcards unexpected side effects
> Date: Mon, 2 May 2022 15:22:52 -0400 (EDT)
> 
> On Fri, 29 Apr 2022, Ian Willis wrote:
> 
> So far it appears to just be the card reader itself which causes the issue.
> 
> It also appears to cause issues with Firefox which becomes unresponsive even
> 
> after the card reader is removed.
> 
> See  /etc/crypto-policies/local.d/nss-p11-kit.config
> 
> name=p11-kit-proxy
> 
> library=p11-kit-proxy.so
> 
> It is p11-kit-proxy that pulls in the "system defaults" I believe.
> 
> My guess is if you delete/rename that file, it should no longer try
> 
> to any hardware within libreswan (or other nss apps!)
> 
> Paul
> 
> [34032.370329] usb 1-2.1.3: new full-speed USB device number 17 using
> 
> xhci_hcd
> 
> [34032.631033] usb 1-2.1.3: New USB device found, idVendor=096e,
> 
> idProduct=060d, bcdDevice= 3.52
> 
> [34032.631036] usb 1-2.1.3: New USB device strings: Mfr=1, Product=2,
> 
> SerialNumber=3
> 
> [34032.631038] usb 1-2.1.3: Product: R502
> 
> [34032.631039] usb 1-2.1.3: Manufacturer: Feitian
> 
> [34032.631040] usb 1-2.1.3: SerialNumber: F6325B88290000F5
> 
> [34066.200951] usb 1-2.1.3: USB disconnect, device number 17
> 
> Currently looking through 
> 
> https://access.redhat.com/articles/4253861
>
>  to gain
> 
> a bit more insight on this and will probably just use an alternative reader.
> 
> Kind Regards
> 
> -----Original Message-----
> 
> From: Paul Wouters <
> 
> paul at nohats.ca
> 
> >
> 
> To: Ian Willis <
> 
> ian at checksum.net.au
> 
> >
> 
> Cc: 
> 
> Swan at lists.libreswan.org
> 
> Subject: Re: [Swan] libreswan smartcards unexpected side effects
> 
> Date: Thu, 28 Apr 2022 22:37:27 +0200
> 
> There is an nss automatic hardware module loader config that makes system wi
> 
> de hooks available in nss that can be disabled in /etc with some option but 
> 
> I don’t remember exactly which one and a quick google didn’t help me. I ran 
> 
> into it when I installed open dnssec that installed softhsm and then Pluto’s
>
>  nss also read it the softhsm stored as part of nss.
> 
> Sent using a virtual keyboard on a phone
> 
> On Apr 28, 2022, at 16:34, Ian Willis <
> 
> ian at checksum.net.au
> 
> wrote:
> 
> 
>

More information about the Swan mailing list