Please advice: [389 Project] #48760: NSS -- switching to the sql db

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

We hear quite often that the key/cert db's RHDS is using are in the old format and have been suggested to switch to the sql db.  It turned out it is quite easy although there is one minor issue I described in the comment in the patch [*].  But as long as we use "sql:path" to access the db's, there is no problem.

Also, we need to find out the upgrade scenario, which should not be hard since, e.g., lots of mozilla products have gone through the path.

My biggest question is we should do this or not... :)  Please share your thoughts.

Thanks!
--noriko

https://fedorahosted.org/389/ticket/48760

https://fedorahosted.org/389/attachment/ticket/48760/0001-Ticket-48760-NSS-switching-to-the-sql-db.patch
git patch file (master)
Description: 389-ds-base and 389-admin are using the old format of key/cert
db. NSS recommends to switch to the sql format having the shared DB feature.

The current version of NSS (3.22.0 and older) takes ordinary paths to access
the cert db, while it requires the prefix "sql:" for the sql db.

By setting the environment variable 'NSS_DEFAULT_DB_TYPE="sql"', the default
path setting is supposed to be swtiched.

This patch tries these 2 cases.
1) #define ENABLE_SQL_PREFIX 1
   This enables generating "sql:/path/to/certdir".
2) /* #define ENABLE_SQL_PREFIX 1 */
   This depends upon the NSS_DEFAULT_DB_TYPE="sql" and use the ordinary
   path to access the cert db.

Both works fine with the test script. The case (1) generates just the new
key/cert db's.
  $ ls slapd-master_1/*.db
  slapd-master_1/cert9.db slapd-master_1/key4.db
[*] But in the case (2), the server creates 2 sets of key/cert db's:
  $ ls slapd-master_1/*.db
  slapd-master_1/key3.db slapd-master_1/cert8.db slapd-master_1/secmod.db
  slapd-master_1/key4.db slapd-master_1/cert9.db
  $ cerrtutil -L -d sql:slapd-master_1
    Certificate Nickname   Trust Attributes
                           SSL,S/MIME,JAR/XPI
    CAcertificate          CTu,u,u
    Server-Cert1           u,u,u
    Server-Cert2           u,u,u
  $ cerrtutil -L -d slapd-master_1
    returns nothing.

To reduce the confusion, we should choose the case (1).
https://fedorahosted.org/389/attachment/ticket/48760/0002-Ticket-48760-CI-test-test-cases-for-47536-and-48760.patch
git patch file (master) -- CI test
--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux