[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Thu Feb 21 05:01:25 UTC 2019

New commits:
commit 711267234abdc773e3bb2412cd25dd3397288812
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 20 23:58:58 2019 -0500

    documentation: update changes

commit 0e391fb4d696047cec1fa82a7e47d977b64302d8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 21 00:00:21 2019 -0500

    building: just a whitespace change in nss_cert_verify.c
    Done separately, so the previous commit is more self-describing

commit 7de7d5cdb6717101b8161891ed4344dfd32f5e4c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 20 23:51:56 2019 -0500

    X509: Don't fail validation on critical flag in Key Usage payloads
    When using the NSS IPsec profile for certificate validation, the NSS
    library rejects validation if it encounters a critical flag. The NSS
    IPsec profile supports ignoring EKU as per RFC 4945.
    When not using the NSS IPsec profile, libreswan uses the TLS profile.
    It first tries TLS server, then TLS client verification. This NSS profile
    accepts critical flags. It does not support ignoring EKU as pre RFC 4945.
    As a workaround until NSS updates the IPsec profile processing, libreswan
    will now first try to use the NSS IPsec profile. On failure it will use
    the NSS TLS profile (as server, then as client, which is the old style
    of pre 3.28 verification).
    If NSS IPsec profile support is not compiled in, only the TLS profile
    (server, then client) will be used, as was the behaviour before 3.28.

More information about the Swan-commit mailing list