[Swan-dev] libreswan 3.28 unavailability in rhel repo

Wed Jun 5 18:02:43 UTC 2019

On Wed, 5 Jun 2019, Spiros Ioannou wrote:

> Hi Paul, thank you for your actions. I feel I must warn you that as 3.28 changes lots of defaults (e.g. SHA1 deprecation, IKEv2 by
> default, etc) most of our 2000+ tunnels went down after upgrading to 3.28, so we had to downgrade again as most of the remote endpoints
> are not in our control, until we figure out how to handle.

I'm sorry you were caught in that.

You should be able to change the default using:

conn %default
 	ikev2=no

The cryptographic changes in IKEv1 are minimal. It should still accept
3DES and AES with SHA1 or SHA2, and MODP1536 (DH5) or greater. Every
IKEv1 endpoint should be able to do that.

I've created a 3.27-2 build for x86_64 and added it to the repository on
download.libreswan.org/rhel/7/ for those who want to fix CVE-2019-12312
without upgrading to 3.28. While this is propagating to the mirrors,
you can grab it directly from:

https://nl.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.27-2.el7.x86_64.rpm

> It should have been a major version change, or treat this change differently as automatic security upgrades will give a big bad surprise
> in most installations. I hope we are an exception.

In an ideal world, I agree with you. But the consequence of doing that
would be that libreswan has to maintain the 3.x series while developing
the 4.x series. That takes a lot of additional resources we currently
do not have.

We did try to point this out in the announcement that this was a major
release and listed the compatibility issues as first items of the release.

Furthermore, we initially did not intend to fix this as a CVE issue,
as the impact is very low. Unfortunately, someone else issued a CVE for
libreswan, so we ended up being forced to write up a CVE for this to
replace the original poster's (incomplete and incorrect) CVE text. Had
we had an actual CVE issue come up, we would have done a release that
would have a very minimal set of changes, preferably only the CVE fix,
before merging our git master into a new release.

Note also that we offer downloads.libreswan.org/binaries/ as a
complimentary service. It is provided as-is without any guarantee.
We recommend that people deploying large amounts of servers that
use this repository, to pull updates into their own quality control
testing before deployment on production servers. Or to use a Linux
vendor with commercial support (such as Red Hat Enterprise Linux)

Note that there are several ways to sponsor libreswan development.
Contributing entities get a dedicated mailinglist for assisteance
and advanced notifications of security issues.

Regards,

Paul