[Swan-dev] testing update for x509-san and strongswan-5.5.2

Paul Wouters paul at nohats.ca
Mon May 29 03:23:46 UTC 2017

I've merged in the x509-san branch and also reran all tests against an
updated strongswan-5.5.2 (needed for AH testing/fixes)

There was some regression in the tests due to regression in strongswan.
I've fixed the configs to work around some changes in their defaults
options. One odd feature is that curve25519 is now their default DH
group, so all tests require another roundtrip because it started with
the wrong KE size payload. Even odder, they do the same for IKEv1, which
causes them to send some IKE exchanges with an empty list of proposals,
which we loudly complain about and refuse.

It now shows some AH tests failing which is because I'm working
on the update for libreswan to support proper AH alignment that
strongswan now enforces. This will also require kernel 2.6.39 or
higher, but I do think we all have that already running in our

You can grab the strongswan src of fedora22 rpm here:


The SubjectAltName tests required generating the certs differently. All certs
now have a unique E= entry (instead of testing at libreswan.org) so we can
test that we are properly ignoring that entry (we should only match
USER_FQDN on subjectaltnames). All test cases have been updated for
this, but be sure to rerun testing/x509/dist_certs.py or "make kvm-keys"
so your certificate output matches the new good output.


More information about the Swan-dev mailing list