[Openswan dev] problems with USE_LIBNSS

Paul Wouters paul at xelerance.com
Sun Jan 3 23:27:44 EST 2010

On Sun, 3 Jan 2010, Elio Maldonado Batiz wrote:

> NSS supports two types of databases, the legacy database
> (BerkeleyDB-based) and, since 3.12, the shared db (sqlite-based).
> The "sql:" prefix is to request the sqlite database be used. For legacy
> you get cert8.db and key3.db whereas for shared (sql) you get cert9.db
> and key4.db
> so the "sql:/etc/ipsec.d/cert8" string looks inconsistent.

>       Dec 29 20:56:34 usik pluto[21767]: nss directory plutomain:
>       sql:/etc/ipsec.d
>       Dec 29 20:56:34 usik pluto[21767]: NSS initialization failed
>       (err -8174)

> I guess the code in git reflects the state of NSS in Fedora usage which
> is NSS is 3.12.4 which supports "sql:" whereas
> RHEL ships with NSS- but with the older softoken 3.11.5 (the
> last one that was FIPS validated) which lacks
> support for sqlite-based DB - thus the lack of the "sql:" prefix.  (The
> database support is part of softokn)

>       I'm quite sure removing this sql: from code will fix it but
>       can you
>       confirm this? Doesn't fedora version of openswan have this
>       same problem?
> Yes it will fix it but that is only needed for RHEL-5. Usage of "sql:%s"
> should be fine with Fedora or other systems with NSS (and softoken)
> 3.12.4.

I guess what we would really need is an nss path option for "config setup",
provided that would not compromise any FIPS requirements. Then people can
specify with or without the "sql:" prefix.


More information about the Dev mailing list