<br><div class="gmail_quote">On Tue, Dec 29, 2009 at 1:21 PM, Tuomo Soini <span dir="ltr"><<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I tried to test openswan-2.6.24rc5 compiled with nss support. I couldn't<br>
get it working and after some investigation I found out this by stracing<br>
pluto:<br>
<br>
stat("sql:/etc/ipsec.d/cert8.db", 0x7fffe95e04c0) = -1 ENOENT (No such<br>
file or directory)<br>
<br>
and<br>
<br>
open("sql:/etc/ipsec.d/cert8.db", O_RDWR) = -1 ENOENT (No such file or<br>
directory)<br>
<br></blockquote><div>NSS supports two types of databases, the legacy database (BerkeleyDB-based) and, since 3.12, the shared db (sqlite-based). <br>The "sql:" prefix is to request the sqlite database be used. For legacy you get cert8.db and key3.db whereas for shared (sql) you get cert9.db and key4.db<br>
so the "sql:/etc/ipsec.d/cert8" string looks inconsistent.<br><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">db</blockquote></div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On log I see this:<br>
<br>
Dec 29 20:56:34 usik pluto[21767]: nss directory plutomain: sql:/etc/ipsec.d<br>
Dec 29 20:56:34 usik pluto[21767]: NSS initialization failed (err -8174)<br>
<br>
I'm not first one to find out NSS support doesn't work on<br>
openswan-2.6.24rc series but I did dig deeper and found a difference<br>
from openswan-2.6.21 nss patch used in rhel5 and nss patch which got<br>
included into openswan git tree.<br>
<br>
openswan-2.6.21-nss.patch has this change for plutomain.c<br>
<br>
+ snprintf(buf, sizeof(buf), "%s",oco->confddir);<br>
<br>
and git tree has:<br>
<br>
+ snprintf(buf, sizeof(buf), "sql:%s",oco->confddir);<br></blockquote><div><br>I guess the code in git reflects the state of NSS in Fedora usage which is NSS is 3.12.4 which supports "sql:" whereas<br>
RHEL ships with NSS-3.12.3.99 but with the older softoken 3.11.5 (the last one that was FIPS validated) which lacks<br>support for sqlite-based DB - thus the lack of the "sql:" prefix. (The database support is part of softokn)<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
I'm quite sure removing this sql: from code will fix it but can you<br>
confirm this? Doesn't fedora version of openswan have this same problem?<br></blockquote><div><br>Yes it will fix it but that is only needed for RHEL-5. Usage of "sql:%s" should be fine with Fedora or other systems with NSS (and softoken) 3.12.4.<br>
Hope this helps.<br><br>Elio <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
--<br>
<font color="#888888">Tuomo Soini <<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>><br>
Foobar Linux services<br>
+358 40 5240030<br>
Foobar Oy <<a href="http://foobar.fi/" target="_blank">http://foobar.fi/</a>><br>
_______________________________________________<br>
Dev mailing list<br>
<a href="mailto:Dev@openswan.org">Dev@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/dev" target="_blank">http://lists.openswan.org/mailman/listinfo/dev</a><br>
</font></blockquote></div><br>