Hey all, I've pushed a branch called nss_upgrade_9_03 that has patches for pluto to start using an SQL format NSS database, outside of the ipsec.d dir (/var/lib/pluto by default). Pluto still opens the database read-only as the intent is to use helper programs to write to the database as needed in the future, but the benefit of this now is that changes to certificates get picked by a running pluto (i.e adding a new cert for a newly added connection previously needed a restart).
The upgrade code is part of ipsec --checknss which runs each time pluto is started from systemd. It checks to see if you have the old format database in ipsec.d and no sql format database in the new location which indicates that the upgrade is needed. The ipsec.d files are backed up and certutil --upgrade-merge is called twice, to work around an NSS bug. This works for databases both with passwords (from ipsec.d/nsspassword) and without. I think this is overall a simpler solution to handling the upgrade than my earlier efforts of trying to handle it all within pluto. Needing to hack around the NSS problems made the upgrade code a mess. Wolfgang, I know you were using the earlier version of this so your input would be appreciated again as well. Thanks, Matt _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
