Paul,
Although it is very insecure, would embedded systems be the reason of
your xauthby=alwaysok ?
This is aside from the NSS database aspect.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:vout...@sip.linphone.org
On 04/10/2014 06:37 PM, Lennart Sorensen wrote:
On Thu, Apr 10, 2014 at 12:17:02PM -0400, Paul Wouters wrote:
The only part where we used openssl was for OCF userland, and these days
it is more expensive to offload crypto from userland to kernel than to
just do it in userland yourself without acceleration, even on embedded
hardware. So we dropped that support. It also required the non-NSS code
path.
A lot of embedded systems would much rather use dedicated crypto hardware
and save the CPU for other things (like routing and firewalling).
But hopefully most of the heavy lifting is in the encryption of pacekts
which is in the kernel. Rekeying and certificate handling is hopefully
a very small part of running ipsec.
Note PSKs are still in ipsec.secrets. So if you don't user certs or raw
RSA, you can just run: ipsec initnss at boot and forget about it. If you
need to add X.509 certs, "ipsec import file.p12". If you use raw rsa
keys, than you need to keep a persistent copy of the nss.db. Note that
pluto does not write to the nss db. it is used readonly.
Well there must be a way to add the persistent raw rsa keys. Keeping
around the nss database would not be an option. We use one central
database for all config in the system with no exceptions. Everything is
populated at boot to where it needs to be (in a ramdisk), and whenever
config is changed of course.
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
