On Tue, 3 May 2022, Ian Willis wrote:
I will have a look at the impact of removing this file.
On a somewhat related note, is it reasonable and possible to do something
like the following
Store IPSEC host keys in TPM and allowing the IPSEC link to be made live on
system startup so that the system can participate on a private network and
access non-public resources.
You can, but then you _will_ need to use that proxy method to get NSS to
pick up hardware stores automatically.
There is an "older" method by telling nss where the hardware is in the
libreswan nss files, eg see https://libreswan.org/wiki/Hardware_Tokens
that uses yubikey.
Paul
Regards
Ian
-----Original Message-----
From: Paul Wouters <[email protected]>
To: Ian Willis <[email protected]>
Cc: [email protected]
Subject: Re: [Swan] libreswan smartcards unexpected side effects
Date: Mon, 2 May 2022 15:22:52 -0400 (EDT)
On Fri, 29 Apr 2022, Ian Willis wrote:
So far it appears to just be the card reader itself which causes the issue.
It also appears to cause issues with Firefox which becomes unresponsive even
after the card reader is removed.
See /etc/crypto-policies/local.d/nss-p11-kit.config
name=p11-kit-proxy
library=p11-kit-proxy.so
It is p11-kit-proxy that pulls in the "system defaults" I believe.
My guess is if you delete/rename that file, it should no longer try
to any hardware within libreswan (or other nss apps!)
Paul
[34032.370329] usb 1-2.1.3: new full-speed USB device number 17 using
xhci_hcd
[34032.631033] usb 1-2.1.3: New USB device found, idVendor=096e,
idProduct=060d, bcdDevice= 3.52
[34032.631036] usb 1-2.1.3: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[34032.631038] usb 1-2.1.3: Product: R502
[34032.631039] usb 1-2.1.3: Manufacturer: Feitian
[34032.631040] usb 1-2.1.3: SerialNumber: F6325B88290000F5
[34066.200951] usb 1-2.1.3: USB disconnect, device number 17
Currently looking through
https://access.redhat.com/articles/4253861
to gain
a bit more insight on this and will probably just use an alternative reader.
Kind Regards
-----Original Message-----
From: Paul Wouters <
[email protected]
>
To: Ian Willis <
[email protected]
>
Cc:
[email protected]
Subject: Re: [Swan] libreswan smartcards unexpected side effects
Date: Thu, 28 Apr 2022 22:37:27 +0200
There is an nss automatic hardware module loader config that makes system wi
de hooks available in nss that can be disabled in /etc with some option but
I don’t remember exactly which one and a quick google didn’t help me. I ran
into it when I installed open dnssec that installed softhsm and then Pluto’s
nss also read it the softhsm stored as part of nss.
Sent using a virtual keyboard on a phone
On Apr 28, 2022, at 16:34, Ian Willis <
[email protected]
wrote:
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
