[Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

Tomas France tomfra at centrum.cz
Fri Sep 25 03:47:23 UTC 2015


OK, I did something (installing new flex, bison, patching source...)
apparently and now I get this error when compiling, instead of the Flex
error:

------------------------------
-c /opt/libreswan-3.15/programs/pluto/timer.c
cc1: warnings being treated as errors
/opt/libreswan-3.15/programs/pluto/timer.c: In function 'timer_event_cb':
/opt/libreswan-3.15/programs/pluto/timer.c:455: warning:
'last_used_age.delta_secs' is used uninitialized in this function
make[3]: *** [timer.o] Error 1
make[3]: Leaving directory
`/opt/libreswan-3.15/OBJ.linux.x86_64/programs/pluto'
make[2]: *** [local-base] Error 2
make[2]: Leaving directory `/opt/libreswan-3.15/programs/pluto'
------------------------------

What is strange is that it used to be failing at the timer.c compile
Yesterday, that I started getting the flex issue. Not sure what this means
to be honest.

Tomas



-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: Friday, September 25, 2015 4:45 AM
To: Tomas France
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

On Fri, 25 Sep 2015, Tomas France wrote:

> OK, I understand. We are talking about 20+ servers that would need a 
> full reinstallation by the way... Done by myself...

That's not too bad :)

> It seems I have been able to compile OpenSwan 2.6.45 on the CentOS 5 
> (test) server though, although with some nasty makefile modifications.

Obviously I am biased, but I would not use openswan. They haven't properly
fixed some of the earlier CVE's (the ID one) and their code hasn't seen the
amount of FIPS and Common Criteria testing that libreswan went through.
Also, if you compiled without NSS, that setup is also vulnerable private RSA
key leak as described at:

https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfe
ct-forward-secrecy/

> I'd really
> prefer Libreswan as it works really well on one of our CentOS 6 
> servers already (well, too early to say really but so far so good).
>
> Also, if someone would consider modifying the patch from 3.14 to 3.13, 
> I'd be willing to send a small donation for that :)

I think it would be more useful to see about pulling in nss from centos6 and
going with the latest libreswan. The 3.15-3 build that will go into
RHEL6 extras and RHEL-7.1.z probably has all the fixes for the flex/bison
issues you reported. The pre-release of 3.15-3 can be found at
ftp://ftp.nohats.ca/rhel6/

Paul



More information about the Swan mailing list