On Wed, 22 Jun 2016, Daniel Kahn Gillmor wrote:
To: Paul Wouters <[email protected]>
Subject: Re: libreswan in debian - Ondřej offered to help (fwd)
On Mon 2016-06-20 13:25:26 -0400, Paul Wouters wrote:
The VTI stuff is bleeding edge. So I can understand KLIPS users want to
still use it for a few more releases. We get frequent requests about
KLIPS. Anyway, if you're the maintainer we can do without KLIPS and
see what happens.
Let's start it that way. If that works for some folks, but others rally
around KLIPS, then we can add it in. It's much easier to go in that
direction than to take something away from even a tiny number of people
once they've come to expect it :)
Okay.
OK, i'll modify debian to make it use /var/lib/ipsec/nss for the nss
directory.
Ok.
And maybe just rename --configdir to --nssdir (and leave the old name
undocumented)
I'm happy to have --nssdir be the formal name for all of the subcommands
which need it. What i don't want is for that configuration parameter to
influence other file locaions.
What option will libreswan use to look for policies/ and passwd and
nsspassword ? (and cacerts/ and crls/ for as long as those remain an
option)
That would remain --ipsecdir
No one should call rsasigkey directly, it is supposed to go through the
newhostkey wrapper. Which you suggested above could cause the nss init.
Maybe it should be named _rsasigkey then?
Yes, it should have been :)
Let's hope it goes away when we start adding support for non-RSA keys
too :)
the EXAMPLES section in ipsec_rsasigkey(8) shows:
ipsec rsasigkey --verbose 4096 >mykey.txt
but of course that fails...
It does? It works for me. If you specify --configdir then it does need
to get the sql: prefix unfortunately. We do need to fix our tools to
always add that to a prefix if not there.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
