[Swan] [Swan-dev] libreswan 3.19 uploaded to debian unstable (unauth OE, debian strategies)

Thu Jan 26 05:04:50 UTC 2017

On Wed, 25 Jan 2017, Daniel Kahn Gillmor wrote:

(Added swan@ to list for larger exposure)

> i've just uploaded libreswan 3.19 to debian unstable.  thanks very much
> for all your work on libreswan!

Awesome! Thank you very much!!

> I've also posted a couple pull requests and issues on github related to
> minor nitpicks i found while packaging.  I hope they're helpful.

They've been merged in and will be in 3.20.

> Unauthenticated Opportunistic Encryption
> ----------------------------------------
>
> I've been trying to test out the unauthenticated opportunistic mode, and
> i haven't had as much luck with it as i'd like yet.
>
> in particular, i was hoping that i could just get the package installed,
> and then do:
>
>    cp oe-upgrade-authnull.conf /etc/ipsec.d/
>    systemctl start ipsec
>    ipsec whack --trafficstatus
>    ping -c 4 libreswan.org
>    sleep 5
>    ipsec whack --trafficstatus

I've talked to Daniel and we got it to work. Our test server was not up
and running, and his config needed a tweak. The tweak has been pushed
to the docs/example in git as well.

> […]
> 000 W.X.Y.Z/32:0 -0-> 188.127.201.229/32:0 => %pass 0    oe-failing
>
> (188.127.201.229 is the IP address i'm seeing for libreswan.org; i've
> anonymized the source IP address, but i'd be happy to share it in
> private debugging conversation)

We have not yet enabled OE for the libreswan.org domain itself. We don't
want to lock out people (yet :)

> I've also tried browsing to http://oe.libreswan.org/ and gotten the "Oh
> no! You are NOT protected by Opportunistic IPsec!" message, and seen
> "ipsec whack --shuntstatus" tell me:

This is the one we fixed together.

> Despite failing to get this OE mode working, I've uploaded the package
> to debian unstable so that it can reach a wider audience.  It's possible
> (though unlikely) that this package could migrate to debian testing in
> time for the upcoming freeze for debian "stretch" (the next stable
> release).  To do that, there would need to be no serious bugs found in
> it over the next 10 days.

We should be good, but I hope we can get some other people testing too!

> That said, i'm not sure we necessarily want it in debian stable yet
> anyway.  Committing to 3.19 being in debian stable means being willing
> to support that version for several years, and i'm not yet convinced i
> have the bandwidth to do that without serious upstream support.  I don't
> know how much y'all want to commit to 3.19 long term anyway.

In that case, I agree it would be nicer to do that for 3.20, which we
are also aiming at RHEL-7.4.

> If it stays out of debian stable for now, but it stabilizes in the near
> future, we can always use the stretch-backports repository to make it
> available for stretch users without committing to a long-term stable
> release (backports are allowed/expected to change more frequently).  I
> suspect this approach would give libreswan the better balance between
> exposure and stability for this debian release cycle, but if y'all feel
> differently as upstream, i'd be happy to hear about it.  Please let me
> know!

We'll be in touch!

Paul