On Tue, 7 Oct 2014, Fisher Kernel wrote:
First timer on the list so, first of all, thanks for libreswan! You guys are doing a wonderful job.
Thanks! and welcome!
I'm currently in the process of moving from openswan to libreswan and wanted to share three notes from my log book.
These kind of notes are very welcome. It helps us to make migration easier for everyone, and we don't have everyone's specific setup details.
1) whack rereadall doesn't reload nss certificates. This has been brought up before: https://lists.libreswan.org/pipermail/swan/2014/000707.html As the previous author this is something I'm also interested in.
Matt is working on that. To be able to automatically read updates to the NSS database, we need to use the "new" sql format. For that we need to migrate the existing nss db into the new format. Matt has working concept code that we hope to merge in soon. Once that code is in, pluto will automatically be able to access updates made inside the NSS database. (additionally, you would no longer need to specify a line in ipsec.secrets for the private key)
2) crl verification needs curl. I have my crls in the crls folder. I compiled without curl and noticed that crl verification didn't happen. From what I remember, things looked good from the logs. No sign that verification was off. But in verify_x509cert there is an ifdef around verify_by_crl. #if defined(LIBCURL) || defined(LDAP_VER)
I believe once the above is done, we will also get runtime CRL updates for free by just adding those into the nss db. But you are right that we should really read the CRLs in /etc/ipsec.d/crls when rereadall is used. For non-file based CRLs, an outside program (not pluto itself) will handle updating the nss db with new CRLs, so we can keep running pluto in readonly on the nss db.
3) missing git tag v3.10. Can there be one for 3.11?
I'll push the tag. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
