----- Original Message -----
> I am continuing my battle with secure sockets ... rather than starting one
> enormous mail thread, I am going to start several mail threads, one per
> issue I've found.
Thanks.
> This is the first one.
>
> Our code assumes the sql method is available for managing certificates (hope
> I've got the terminology wrong).
>
> On at least one platform I have the nss/nspr packages installed, but no sql
> method as the following shows:
>
> root@vm04:~# rm -rf /etc/pki; mkdir -p -m 0755 /etc/pki/nssdb
> root@vm04:~# certutil -d sql:/etc/pki/nssdb -N -f /tmp/empty
> certutil: function failed: security library: bad database.
> root@vm04:~# certutil -d /etc/pki/nssdb -N -f /tmp/empty
>
> This is on CentOS 5.9.
>
> I believe we need to do one or more of the following: (a) support methods
> other than sql, or (b) provide tighter prerequisites to force the necessary
> pieces to be installed, or (c) don't allow a "secure sockets" build unless
> the platform supports the sql method, or ...
There was much discussion on this one on irc today. There's alot of wierd
subtleties here, and the above options were generally considered the best,
but not 100% clear which it should be though. I'm slightly leaning toward
setting $NSS_DEFAULT_DB_TYPE rather than explicitly using an "sql:" prefix
at this stage, with the slight concern that this opens up the possibility
that we will create non-shareable certificate databases in the locations that
(aiui) were explicitly created and intended for shared databases only. But,
maybe I'm worrying too much there.
cheers.
--
Nathan
|