[Swan] libreswan 3.14rc2 Release Candidate

Jonas Trollvik jontro at gmail.com
Tue Jun 16 14:23:30 EEST 2015

Hi and thanks!

I have successfully upgraded. I was following the git repository at
https://github.com/libreswan/libreswan however these changes does not seem
to be in there right?

Also I am still having issues described in this post
https://lists.libreswan.org/pipermail/swan/2014/000826.html (i.e. multiple
clients cannot connect from the same nat). Is this an outstanding issue
still or a configuration problem?

Kind regards

2015-06-15 15:32 GMT+02:00 Paul Wouters <paul at nohats.ca>:

> Hi,
> We have been a 3.14rc2 Release Candidate available for testing.
> As the changes between 3.13 and 3.14 are significant, we would like
> to hear back from the community for any potential issues they find,
> including the upgrade from 3.13 to 3.14rc2. This upgrade will also
> upgrade the NSS database in /etc/ipsec.d from dbm format to sql format,
> so please do backup /etc/ipsec.d before attempting an upgrade.
> The (not fully completed) changelog follows below.
> Paul
> * NSS: Major rewrite of PRF / PRFPLUS / integrity functions [Andrew]
> * CAVS: Added programs/pluto/cavp for NIST CVAS testing [Andrew]
> * IKEv2: authby=null support (draft-ietf-ipsecme-authnull)
> [Paul/Antony/Hugh]
> * IKEv2: leftid=%null support (draft-ietf-ipsecme-authnull)
> [Paul/Antony/Hugh]
> * IKEv2: whack and smc related time out fixes [Antony]
> * IKEv2: do not pad IKE messages (fix interop w. InsideSecure) [Paul]
> * IKEv2: Fix esp=camellia to use the IKEv2 IANA registry number for ESP
> [Paul]
> * IKEv2: Fix memory leaks in addresspool and child exchange sadb [Antony]
> * IKEv2: Support for INVALID_KE DH group re-transmits [Paul/Hugh]
> * IKEv2: if applicable, add CERTREQ payload to IKE_SA_INIT response
> [Antony]
> * IKEv1: Don't copy isakmp_sa from received packet [Paul]
> * FIPS: Enforce crypto restrictions in FIPS mode (no md5,twofish, etc)
> [Paul]
> * XAUTH: retransmit user/password request in 10s (instead of 30s)
> [Wolfgang]
> * X509: Re-added CRL and OCSP support using NSS [Matt]
> * X509: Expired certificate could crash pluto [Wolfgang]
> * x509: New options: ocsp_enable= ocsp_strict= ocsp_timeout= [Matt]
>         ocsp_uri= and ocsp_trust_name=
> * pluto: Converted select() loop to use libevent and subsecond timers
> [Antony]
> * pluto: Added retransmit-timeout= and retransmit-interval= [Antony]
> * pluto: Greatly reduce time to retransmit from 20s to 0.5s [Antony]
> * pluto: Support for IKEv1 and IKEv2 AES_CTR (ike=aes_ctr) [Andrew Cagney]
> * pluto: Support for CBC/CTR test vectors using NSS [Andrew Cagney]
> * pluto: Remove last weary old X.509 patch code and use NSS instead [Matt]
> * pluto: Static IP support using passwd file with addresspool= [Wolfgang]
> * pluto: major tidy of labeled ipsec code [Hugh]
> * pluto: fixes for uninitialized fields in output struct [Hugh/Paul]
> * pluto: audit format and log item update as per audit spec [Paul]
> * pluto: simplify and clarify sa_copy_sa and friends [Hugh]
> * pluto: small steps improving crypto helpers [Hugh]
> * pluto: plutostderrlog= renamed to logfile= [Paul]
> * pluto: plutostderrlogtime= renamed to logtime= [Paul]
> * pluto: New option logappend=yes|no (default yes) [Paul]
> * pluto: Removed obsoleted loopback= support [Paul]
> * pluto/rsasigkey: added --seedbits option (and seedbits= option) [Paul]
> * pluto: do not terminate_connection() in-flight [Hugh]
> * pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu]
> * pluto: Use "third best" monotime() on mismatched kernel/glibc headers
> [Paul]
> * pluto: removed bool inbound_only from delete_ipsec_sa() [Paul/Herbert]
> * pluto: fix modecfg client/server status display (was swapped) [Herbert]
> * pluto: NFLOG support via nflog-all= and nflog= keywords [Paul]
> * pluto: Fix bogus "no RSA public key known for '%fromcert'" [Herbert Xu]
> * libipsecconf: Improve parser for pipe case (with NM) [Hugh/Lubomir
> Rintel]
> * readwriteconf: improve error handling [Hugh]
> * ipsec: ipsec --import does not need to run restorecon [Paul]
> * ipsec: --checknss option automatically updates NSS DB to SQL [Matt]
> * packaging: Various SPEC file fixes [Tuomo/Kim]
> * packaging: Add v6neighbour-hole.conf for Neighbour Discovery hole [Paul]
> * initsystems: run ipsec --checknss before start [Tuomo]
> * building: overhaul of build system Makefiles (see mk/) [Andrew]
> * testing: docker test type support [Antony]
> * testing: test case updates/additions [Antony/Paul/Andrew/Matt]
> * NETKEY: Increase netlink message buffer for larger SElinux labels [Paul]
> * KLIPS: move udp_encap_enable() to not be within spinlock [Wolfgang]
> * KLIPS: ipsec_rcv_decap_ipip broken for IPv6 lsb#227 [Frank Schmirler]
> * KLIPS: Support for SHA2 via CryptoAPI [Wolfgang]
> * KLIPS: Support for sha2_truncbug [Wolfgang]
> * whack: New command ipsec whack --purgeocsp [Matt]
> * whack: cleanup help text [Tuomo]
> * _stackmanager: Don't load blacklisted modules (rhbz#1207689) [Paul/Tuomo]
> * _updown: add proxy arp for cases where routing won't work
> [Tuomo/Wolfgang]
> * Bugtracker bugs fixed:
>   #260: libswan: extra safetey around same_id() when ID_FROMCERT is used
> [Paul]
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150616/62c73bb4/attachment.html>

More information about the Swan mailing list