[Swan] Libreswan 3.19 released - EL7

Nick Howitt nick at howitts.co.uk
Mon Jan 16 15:54:50 UTC 2017 

Hi Paul,

Many thanks for the update.

I tried using yum update to update from the libreswan repo into ClearOS 
7.2 and it found nothing in the el7 repo. Looking at the files there, 
from the file names it looks like the binary rpm there has been set as 
7.3 only, as is the source. Is this correct that it is not compatible 
with earlier versions of el7/centos7/clearos7?

Regards,

  Nick


On 2017-01-15 21:42, The Libreswan Project wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> 
> The Libreswan Project has released libreswan-3.19
> 
> This is a major bugfix and feature release.
> 
> Important bugfixes:
> 
> This version fixes a crasher and/or lockup in the bare shunt handling.
> It also includes various memory leak fixes related to certificate
> handling and some DPD fixes.
> 
> Compatiblity changes:
> 
> Support for the obsolete keyword auth= has been removed. Configurations
> should use the phase2= keyword instead. The forceencaps functionality
> was extended and renamed into the option encapsulation=auto|yes|no that
> allows forcing "no encapsulation" desired in some cloud deployments.
> Support for DH22 is no longer compiled in per default. Support for DH2
> has been removed from the default proposal set of IKEv1.
> 
> New features introduced:
> 
> Support for asymmetric authentication using leftauth= and rightauth=
> has been introduced. This feature allows for using LetsEncrypt for
> Opportunistic IPsec. See the libreswan website for defaults.
> 
> A new keyword leftvti=/rightvti was added to allow specifying the 
> desired
> IP address of the VTI interface that is created with the connection.
> 
> OCSP cache tuning options have been introduced: ocsp-method=
> ocsp-cache-size= ocsp-cache-min-age= and ocsp-cache-max-age=.
> 
> Experimental support for SECCOMP security is introduced with the 
> seccomp=
> keyword.
> 
> Various crypto code was reworked to better support FIPS requirements.
> 
> You can download libreswan via https at:
> 
> https: //download.libreswan.org/libreswan-3.19.tar.gz
> https: //download.libreswan.org/libreswan-3.19.tar.gz.asc
> 
> The full changelog is available at:
> https: //download.libreswan.org/CHANGES
> 
> Please report bugs either via one of the mailinglists or at our bug 
> tracker:
> 
> https: //lists.libreswan.org/
> https: //bugs.libreswan.org/
> 
> Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at
> https: //download.libreswan.org/binaries/
> 
> Binary packages for Fedora and Debian should be available in their 
> respective
> repositories a few days after this release.
> 
> See also https://libreswan.org/
> 
> v3.19 (January 15, 2017)
> * NSS: Support for configurable nss dir via @IPSEC_NSSDIR@ [dkg/Tuomo]
> * FIPS: Only pluto needs a .hmac file, reducing crypto boundary [Paul]
> * FIPS: do not allow DBG_PRIVATE to be set when running in FIPS mode 
> [Paul]
> * FIPS: Ignore failureshunt=passthrough and 
> negotiationshunt=passthrough [Paul]
> * FIPS: Filter default proposals of non-FIPS allowed proposals [Andrew]
> * FIPS: Added CAVP test for pluto GCM code [Andrew]
> * FIPS: More cleanup of crypto related structs and functions [Andrew]
> * FIPS: Implement SHA based PRFs directly in NSS [Andrew]
> * FIPS: Support for CAVP testing 'HMAC construct' based SHA PRF code 
> [Andrew]
> * IKEv2: Don't crash on bogus mixed protocol Delete Payloads 
> [Hugh/Paul]
> * IKEv2: Add asymmetric AUTH support (leftauth= and rightauth=) 
> [Antony/Paul]
> * IKEv2: refactored AUTH handling payload into v2_check_auth() [Paul]
> * IKEv2: support CERT chain sending [Paul]
> * IKEv2: Allow CERT and CERTREQ payloads multiple times [Paul]
> * IKEv2: do not attempt to send notify in reply to IKE_AUTH reply 
> [Paul]
> * IKEv2: When receiving DELETE, ensure expire+restart when needed 
> [Antony]
> * IKEv1: If a queued up DPD probe finds no IKE SA, create a new one 
> [Paul]
> * IKEv1: accept_delete() check if IKE SA is shared before deleting 
> [Paul]
> * IKEv1: Remove ADNS, DNS continuations and IKEv1 OE code [Paul/Antony]
> * IKEv1: Schedule IPsec SA REPLACE immediately when receiving DELETE 
> [Antny]
> * IKEv1: Some IKE SA failure on initiator could lead to hanging whack 
> [Paul]
> * KLIPS: fix for unregister_netdevice() for Linux 3.6.11 and up 
> [Richard/Paul]
> * XFRM: EXPERIMENTAL Support for configuring IP address on the VTI 
> device [Paul]
>         keyword: leftvti=address/mask
> * XFRM: Fix NAT-T support when userland compiled without KLIPS support 
> [Paul]
> * X509: Obsolete /etc/ipsec.d/crls (load_crls()) and whack --rereadcrls 
> [Paul]
> * X509: New whack --fetchcrls (alias ipsec crls) to trigger a fetch 
> [Paul]
> * X509: Iterate all X.509 certs and try to fetch their crls [Kim]
> * X509: Start a fetch for CRLs 5 seconds after startup [Kim]
> * X509: --rereadcrls no longer overwrites newer CRLs with older ones 
> [Paul]
> * X509: log the NSS error when CERT_ImportCerts() fails [Paul]
> * X509: Don't attempt to fetch crl->uri when not present [Paul/Matt]
> * X509: Additional OCSP options to tweak the cache and fetch method 
> [Paul]
>         (new keywords: ocsp-method ocsp-cache-size ocsp-cache-min-age
>                        ocsp-cache-max-age)
> * X509: Fix memory leak in certificate handling (lsbz#278) [William 
> Rios]
> * X509: Fix memory leak in certificate chain handling [Matt]
> * pluto: close whack socket in add_pending when dup pending is skipped 
> [Hugh]
> * pluto: Avoid adding duplicate bare shunts causing lockup [Paul]
> * pluto: drop modp1024 (DH2) from IKEv1 "ike=" default list [Andrew]
> * pluto: send_packet() now refuses to send a packet to 0.0.0.0 [Paul]
> * pluto: find_hostpair ignore CK_INSTANCES which are ID_NULL [Antony]
> * pluto: Fix ca name and generalName leak lsbz#276 [Bill Rios]
> * pluto: EXPERIMENTAL SECCOMP support 
> (seccomp=enabled|tolerant|disabled) [Paul]
> * pluto: connection instances need their own reqid [Antony]
>          (this resolves multiple clients behind same NAT router issue)
> * pluto: Use a global reqid counter instead of looping every time 
> [Paul]
> * pluto: use sets instead of nested loops for transform processing 
> [Andrew]
> * pluto: Prefer not switching connections when possible [Paul/Hugh]
> * pluto: Move unique mark from rw_instantiate() to instantiate() for OE 
> [Paul]
> * pluto: log more information when a bare shunt is missing [Hugh]
> * pluto: redo process_encrypted_informational_ikev2 [Hugh]
> * pluto: Add new config option encapsulation=auto|yes|no [Paul/Patrick 
> Kerpan]
>          replacing forceencaps=yes|no
> * pluto: No longer log bogus reapchildren warning [Paul]
> * libipsecconf: libipsecconf: remove last remnants of manual keying 
> [Paul]
> * libipsecconf: remove auth= alias for phase2= [Paul]
> * _updown.netkey: Move addcat call from route-host to up-client [Paul]
> * ipsec: initnss|import use --nssdir for nssdb directory option [Tuomo]
> * newhostkey: use --nssdir for nssdb directory option [Tuomo]
> * showhostkey: use --nssdir for nssdb directory option [Tuomo]
> * barf: minor improvements with systemd/journalctl [Paul]
> * verify: fix "with FIPS" output to print OK [Paul]
> * _stackmanager: add cmac and chacha20poly1305 to modprobe list [Paul]
> * building: libreswan assumes -std=gnu99 when building [Andrew]
> * building: USE_EXTRACRYPTO replaced by USE_SERPENT and USE_TWOFISH 
> [Paul]
> * building: Disable DH22 by default. To re-enable use USE_DH22=true 
> [Paul]
> * building: work around flex 2.5.4 (CentOS 5); use: -o/output/file 
> [Andrew]
> * sysvinit: remove unnecessary warnings about already stopped pluto 
> [Tuomo]
> * initsystems: Enable "systemctl help ipsec" [dkg]
> * testing: various web output fixes (see testing.libreswan.org) 
> [Andrew]
> * testing: various test updates / additions [Paul/Antony]
> * documentation: fixup changes in GPL 2.0 / LGPL like FSF address [dkg]
> * Bugtracker bugs fixed:
>    #270 newhostkey: text output produces 1 character bug in pubkey 
> [Andew]
>    #272 Option --leak-detective causes assertion failure [Bill / Paul]
>    #277 pluto: fix pluto events leak in timer_event_cb [Bill Rios]
>    #152: ipsec whack --initiate for xauth does not release whack 
> [Paul/Hugh]
> -----BEGIN PGP SIGNATURE-----
> 
> iQIcBAEBCgAGBQJYe+wlAAoJEIX/S0OzD8b5LloP/1G7MgQ95KeCQhGRoS2f51Xa
> Ki+sFUhBWWrtEYIEDkmisR/MLs98e1inTNuOfwK7aM+8zZ6YDEwMUMgADwAGluTB
> b6mddyCKvbonjy+JJKW0xhggwL7zzOUnvvXxnWXMJodfnY5hY2AumE3QCV6eKgGV
> lL/6nDrMQNFuZpyLPbasEPpGgLFtQWRipjaeUZCbk+AcWY2jNlD+ZYqaEcSKsoFh
> WDHpKWXFaN9U/zWoWKX//yW9va+b4kTdiUX5uL+C7aoQcrE45axla13AKfc0FxjM
> +f12VvXtF/MPsytey+46IZwEBpQ9mUu5YhF7dBNQDjRf1lunW1kevZt7C1txkLtw
> ZlfMqLxZmaaVwizKS6PR5Fu4lwXL/tsP4comHEhreLvnbt5nLuvIiBLIe+5I64Jq
> fjCeMOx7n/d5kj7TIJ0oJh332XYSOiKvn/hKAc3ZS6YVr6QP32xs7fOiPPMjw/kM
> yWclpx18StAsWB3HxEgcPIsqGjj8Fe+O64uPNxNdiZZm0/7rGjD8nQwohqWX+KUR
> deH1mHCLpXmnjJVGwKUioT2/LSI25nTcEmKPue+Dk45+qtw1X7IhcMmAb9wtuGRR
> 9VpbhWTSI5AZa6FMpY/i9oGbf5JOoiICgH9d73uil2JVIYqL7mPFh92q190PyRNG
> iDFEHuiWj6t4vlA/LnZ0
> =Jf9j
> -----END PGP SIGNATURE-----
> _______________________________________________
> Swan-announce mailing list
> Swan-announce at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-announce
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list