On Wed, 23 Jan 2019, Kostya Vasilyev wrote:
It would be nice if NSS supported importing / exporting openssl *keys* directly, including private keys, to make key management easier, but I understand it's an external (to libreswan) piece of software.
Yeah, we have talked to the NSS people about that. It's hard for them to do since they try to not allow exporting private keys at all, unless wrapped in something (eg like p12) for FIPS reasons.
I also understand that "real" cert based auth is more common (or else people probably contend with PSK...)
I'm glad you are not using PSK, as it is the weakest method. I even presented on this recently at IETF: https://datatracker.ietf.org/meeting/103/materials/slides-103-ipsecme-psks-will-always-be-weak-00 So thanks for sticking with non-PSK authentication :) Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
