[Swan] libreswan 3.14rc2 Release Candidate

Paul Wouters paul at nohats.ca
Mon Jun 15 16:32:41 EEST 2015


We have been a 3.14rc2 Release Candidate available for testing.

As the changes between 3.13 and 3.14 are significant, we would like
to hear back from the community for any potential issues they find,
including the upgrade from 3.13 to 3.14rc2. This upgrade will also
upgrade the NSS database in /etc/ipsec.d from dbm format to sql format,
so please do backup /etc/ipsec.d before attempting an upgrade.

The (not fully completed) changelog follows below.


* NSS: Major rewrite of PRF / PRFPLUS / integrity functions [Andrew]
* CAVS: Added programs/pluto/cavp for NIST CVAS testing [Andrew]
* IKEv2: authby=null support (draft-ietf-ipsecme-authnull) [Paul/Antony/Hugh]
* IKEv2: leftid=%null support (draft-ietf-ipsecme-authnull) [Paul/Antony/Hugh]
* IKEv2: whack and smc related time out fixes [Antony]
* IKEv2: do not pad IKE messages (fix interop w. InsideSecure) [Paul]
* IKEv2: Fix esp=camellia to use the IKEv2 IANA registry number for ESP [Paul]
* IKEv2: Fix memory leaks in addresspool and child exchange sadb [Antony]
* IKEv2: Support for INVALID_KE DH group re-transmits [Paul/Hugh]
* IKEv2: if applicable, add CERTREQ payload to IKE_SA_INIT response [Antony]
* IKEv1: Don't copy isakmp_sa from received packet [Paul]
* FIPS: Enforce crypto restrictions in FIPS mode (no md5,twofish, etc) [Paul]
* XAUTH: retransmit user/password request in 10s (instead of 30s) [Wolfgang]
* X509: Re-added CRL and OCSP support using NSS [Matt]
* X509: Expired certificate could crash pluto [Wolfgang]
* x509: New options: ocsp_enable= ocsp_strict= ocsp_timeout= [Matt]
         ocsp_uri= and ocsp_trust_name=
* pluto: Converted select() loop to use libevent and subsecond timers [Antony]
* pluto: Added retransmit-timeout= and retransmit-interval= [Antony]
* pluto: Greatly reduce time to retransmit from 20s to 0.5s [Antony]
* pluto: Support for IKEv1 and IKEv2 AES_CTR (ike=aes_ctr) [Andrew Cagney]
* pluto: Support for CBC/CTR test vectors using NSS [Andrew Cagney]
* pluto: Remove last weary old X.509 patch code and use NSS instead [Matt]
* pluto: Static IP support using passwd file with addresspool= [Wolfgang]
* pluto: major tidy of labeled ipsec code [Hugh]
* pluto: fixes for uninitialized fields in output struct [Hugh/Paul]
* pluto: audit format and log item update as per audit spec [Paul]
* pluto: simplify and clarify sa_copy_sa and friends [Hugh]
* pluto: small steps improving crypto helpers [Hugh]
* pluto: plutostderrlog= renamed to logfile= [Paul]
* pluto: plutostderrlogtime= renamed to logtime= [Paul]
* pluto: New option logappend=yes|no (default yes) [Paul]
* pluto: Removed obsoleted loopback= support [Paul]
* pluto/rsasigkey: added --seedbits option (and seedbits= option) [Paul]
* pluto: do not terminate_connection() in-flight [Hugh]
* pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu]
* pluto: Use "third best" monotime() on mismatched kernel/glibc headers [Paul]
* pluto: removed bool inbound_only from delete_ipsec_sa() [Paul/Herbert]
* pluto: fix modecfg client/server status display (was swapped) [Herbert]
* pluto: NFLOG support via nflog-all= and nflog= keywords [Paul]
* pluto: Fix bogus "no RSA public key known for '%fromcert'" [Herbert Xu]
* libipsecconf: Improve parser for pipe case (with NM) [Hugh/Lubomir Rintel]
* readwriteconf: improve error handling [Hugh]
* ipsec: ipsec --import does not need to run restorecon [Paul]
* ipsec: --checknss option automatically updates NSS DB to SQL [Matt]
* packaging: Various SPEC file fixes [Tuomo/Kim]
* packaging: Add v6neighbour-hole.conf for Neighbour Discovery hole [Paul]
* initsystems: run ipsec --checknss before start [Tuomo]
* building: overhaul of build system Makefiles (see mk/) [Andrew]
* testing: docker test type support [Antony]
* testing: test case updates/additions [Antony/Paul/Andrew/Matt]
* NETKEY: Increase netlink message buffer for larger SElinux labels [Paul]
* KLIPS: move udp_encap_enable() to not be within spinlock [Wolfgang]
* KLIPS: ipsec_rcv_decap_ipip broken for IPv6 lsb#227 [Frank Schmirler]
* KLIPS: Support for SHA2 via CryptoAPI [Wolfgang]
* KLIPS: Support for sha2_truncbug [Wolfgang]
* whack: New command ipsec whack --purgeocsp [Matt]
* whack: cleanup help text [Tuomo]
* _stackmanager: Don't load blacklisted modules (rhbz#1207689) [Paul/Tuomo]
* _updown: add proxy arp for cases where routing won't work [Tuomo/Wolfgang]
* Bugtracker bugs fixed:
   #260: libswan: extra safetey around same_id() when ID_FROMCERT is used [Paul]

More information about the Swan mailing list