[Openswan dev] problems with USE_LIBNSS
Elio Maldonado Batiz
elio.maldonado.batiz at gmail.com
Sun Jan 3 16:28:37 EST 2010
On Tue, Dec 29, 2009 at 1:21 PM, Tuomo Soini <tis at foobar.fi> wrote:
> I tried to test openswan-2.6.24rc5 compiled with nss support. I couldn't
> get it working and after some investigation I found out this by stracing
> pluto:
>
> stat("sql:/etc/ipsec.d/cert8.db", 0x7fffe95e04c0) = -1 ENOENT (No such
> file or directory)
>
> and
>
> open("sql:/etc/ipsec.d/cert8.db", O_RDWR) = -1 ENOENT (No such file or
> directory)
>
> NSS supports two types of databases, the legacy database (BerkeleyDB-based)
and, since 3.12, the shared db (sqlite-based).
The "sql:" prefix is to request the sqlite database be used. For legacy you
get cert8.db and key3.db whereas for shared (sql) you get cert9.db and
key4.db
so the "sql:/etc/ipsec.d/cert8" string looks inconsistent.
db
On log I see this:
>
> Dec 29 20:56:34 usik pluto[21767]: nss directory plutomain:
> sql:/etc/ipsec.d
> Dec 29 20:56:34 usik pluto[21767]: NSS initialization failed (err -8174)
>
> I'm not first one to find out NSS support doesn't work on
> openswan-2.6.24rc series but I did dig deeper and found a difference
> from openswan-2.6.21 nss patch used in rhel5 and nss patch which got
> included into openswan git tree.
>
> openswan-2.6.21-nss.patch has this change for plutomain.c
>
> + snprintf(buf, sizeof(buf), "%s",oco->confddir);
>
> and git tree has:
>
> + snprintf(buf, sizeof(buf), "sql:%s",oco->confddir);
>
I guess the code in git reflects the state of NSS in Fedora usage which is
NSS is 3.12.4 which supports "sql:" whereas
RHEL ships with NSS-3.12.3.99 but with the older softoken 3.11.5 (the last
one that was FIPS validated) which lacks
support for sqlite-based DB - thus the lack of the "sql:" prefix. (The
database support is part of softokn)
> I'm quite sure removing this sql: from code will fix it but can you
> confirm this? Doesn't fedora version of openswan have this same problem?
>
Yes it will fix it but that is only needed for RHEL-5. Usage of "sql:%s"
should be fine with Fedora or other systems with NSS (and softoken) 3.12.4.
Hope this helps.
Elio
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <http://foobar.fi/>
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20100103/59c941fe/attachment.html
More information about the Dev
mailing list