[Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5
Paul Wouters
paul at nohats.ca
Fri Sep 25 02:44:44 UTC 2015
On Fri, 25 Sep 2015, Tomas France wrote:
> OK, I understand. We are talking about 20+ servers that would need a full
> reinstallation by the way... Done by myself...
That's not too bad :)
> It seems I have been able to compile OpenSwan 2.6.45 on the CentOS 5 (test)
> server though, although with some nasty makefile modifications.
Obviously I am biased, but I would not use openswan. They haven't
properly fixed some of the earlier CVE's (the ID one) and their code
hasn't seen the amount of FIPS and Common Criteria testing that
libreswan went through. Also, if you compiled without NSS, that setup
is also vulnerable private RSA key leak as described at:
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
> I'd really
> prefer Libreswan as it works really well on one of our CentOS 6 servers
> already (well, too early to say really but so far so good).
>
> Also, if someone would consider modifying the patch from 3.14 to 3.13, I'd
> be willing to send a small donation for that :)
I think it would be more useful to see about pulling in nss from centos6
and going with the latest libreswan. The 3.15-3 build that will go into
RHEL6 extras and RHEL-7.1.z probably has all the fixes for the
flex/bison issues you reported. The pre-release of 3.15-3 can be found
at ftp://ftp.nohats.ca/rhel6/
Paul
More information about the Swan
mailing list