[Swan] [Swan-announce] Libreswan 3.20 released

Nick Howitt nick at howitts.co.uk
Thu Mar 23 17:18:09 UTC 2017 

Hi Paul,

The libreswan el7 repo is giving a 403:

    [root at server ~]# yum update libreswan
    Loaded plugins: clearcenter-marketplace, fastestmirror
    <snip>
    libreswan                                                | 2.9
    kB     00:00
    libreswan/7/x86_64/primary_db                              | 15 kB  
    00:00
    <snip>
    Resolving Dependencies
    --> Running transaction check
    ---> Package libreswan.x86_64 0:3.19-1.el7_3 will be updated
    ---> Package libreswan.x86_64 0:3.20-1.el7 will be an update
    --> Finished Dependency Resolution

    Dependencies Resolved

    ================================================================================
      Package           Arch           Version Repository         Size
    ================================================================================
    Updating:
      libreswan         x86_64         3.20-1.el7 libreswan         1.3 M

    Transaction Summary
    ================================================================================
    Upgrade  1 Package

    Total download size: 1.3 M
    Is this ok [y/d/N]: y
    Downloading packages:
    Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
    libreswan-3.20-1.el7.x86_64.rp FAILED
    http://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.20-1.el7.x86_64.rpm:
    [Errno 14] HTTPS Error 403 - Forbidden
    Trying other mirror.
    To address this issue please refer to the below knowledge base article

    https://access.redhat.com/solutions/69319

    If above article doesn't help to resolve this issue please create a
    bug on https://bugs.centos.org/



    Error downloading packages:
       libreswan-3.20-1.el7.x86_64: [Errno 256] No more mirrors to try.

    [root at server ~]# wget
    http://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.20-1.el7.x86_64.rpm
    --2017-03-23 17:13:08--
    http://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.20-1.el7.x86_64.rpm
    Resolving download.libreswan.org (download.libreswan.org)...
    193.110.157.101, 188.127.201.229, 2a03:6000:1004:1::101, ...
    Connecting to download.libreswan.org
    (download.libreswan.org)|193.110.157.101|:80... connected.
    HTTP request sent, awaiting response... 301 Moved Permanently
    Location:
    https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.20-1.el7.x86_64.rpm
    [following]
    --2017-03-23 17:13:08--
    https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.20-1.el7.x86_64.rpm
    Connecting to download.libreswan.org
    (download.libreswan.org)|193.110.157.101|:443... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    2017-03-23 17:13:09 ERROR 403: Forbidden.


Same for https.

Regards,

Nick

On 23/03/2017 01:43, The Libreswan Project wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> The Libreswan Project has released libreswan-3.20
>
> This is a bugfix and feature release.
>
> New Features:
>
> This releases completes support for the CREATE_CHILD_SA Exchange,
> support for the ECP DiffieHellman Groups (19-21), statistics support
> via ipsec whack --globalstatus and changed the IKE and ESP defaults to
> match rfc4307bis and rfc7321bis.
>
> Important bugfixes:
>
> A number of memory leaks were fixed, two use-after-free bugs, improved
> linking reducing binary sizes, and some misc bugfixes.
>
> Compatiblity changes:
>
> The uniqueids= keywords is ignored for PSK based connections, allowing
> uniqueids=yes and mixing RSA/PSK connections. Some minor logging
> changes.
>
> You can download libreswan via https at:
>
> https: //download.libreswan.org/libreswan-3.20.tar.gz
> https: //download.libreswan.org/libreswan-3.20.tar.gz.asc
>
> The full changelog is available at:
> https: //download.libreswan.org/CHANGES
>
> Please report bugs either via one of the mailinglists or at our bug 
> tracker:
>
> https: //lists.libreswan.org/
> https: //bugs.libreswan.org/
>
> Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at
> https: //download.libreswan.org/binaries/
>
> Binary packages for Fedora and Debian should be available in their 
> respective
> repositories a few days after this release.
>
> See also https://libreswan.org/
>
> v3.20 (March 14, 2017)
> * pluto: Add ECP dh19(secp256r1), dh20(secp384r1) and dh21(secp521r1) 
> [Andrew]
> * pluto: Add dh= aliases for all modp= groups (eg "dh2" for 
> "modp1024") [Paul]
> * pluto: Add statistics support to ipsec whack --globalstatus [Paul]
> * pluto: Add statistics clearing support using ipsec whack 
> --clearstats [Paul]
> * pluto: Fix use-after-free in whack event handler (since v3.19) [Andrew]
> * pluto: Cleanup kernel_netlink.c [Hugh]
> * pluto: Print AH= algorithm and ESN when established [Paul/Andrew]
> * pluto: strip file path from abort messages [Andrew]
> * pluto: Support initiating template conn with --remote-host <ipaddr> 
> [Paul]
> * pluto/libswan: Change most ttoaddr() to ttoaddr_num() to prevent DNS 
> [Paul]
> * pluto: fix use-after-free with EVENT_v2_RELEASE_WHACK [Andrew]
> * pluto: orient() asserted on SPLIT_INC without remote-peer-type=cisco 
> [Paul]
>          (reported by Oleg Rosowiecki)
> * pluto: accurately size a buffer for the decimal representation [Hugh]
>          (debian bug 853507)
> * pluto: avoid gcc unused variable warnings when USE_KLIPS=false [dkg]
> * pluto: Support for Linux systems without IFA_F_TENTATIVE (CentOS5) 
> [Paul]
> * pluto: Ignore uniqueids= for roadwarrior PSK and assume non-unique 
> [Paul]
> * IKEv2: CREATE_CHILD support for Parent SA and Child SA rekeying 
> [Antony]
> * IKEv2: Various refactoring for CREATE_CHILD support [Antony]
> * IKEV2: OE/CAT: Don't send CP request when responder is behind NAT 
> [Antony]
> * IKEv2: log first notify payload when we receive an Notify Error [Paul]
> * IKEv2: Fix memory leak in DH secret calculation (since v3.9) [Andrew]
>          (reported by Eric Andresson)
> * IKEv2: If re-entering ikev2_crypto_start(), reset msgid [Paul]
> * IKEv2: prevent copying bogus peer id when ID kind is IPv4/IPv6 [Paul]
>          (rhbz#1392191)
> * IKEv2: suppress DELETE notifies for connections being replaced [Paul]
> * IKEv2: re-instate ISAKMP_SA_established() [Paul]
> * IKEv1: For IKE (phase 1), prefer 256-bit bit encryption [Andrew]
> * IKEv1: Print conn algo's when using XAUTH [Andrew]
> * IKEv1: Simplify ike= defaults (drop MODP1024, MD5, add MODP2048) 
> [Andrew]
> * IKEv1: Prefer 256-bit keys over 128-bit keys for IKE [Andrew]
> * IKEv1: Also call ISAKMP_SA_established() in Aggressive Mode [Paul]
> * newhostkey: Convert remaining --configdir for --nssdir [Tuomo]
> * barf: Ensure proper macros are used. Add certutil/crlutil output [Paul]
> * misc: Fix various spelling errors in code/comments/man pages [dkg]
> * packaging: spec files should use 0 and 1, not true and false [David 
> Arnold]
> * building: NSS_REQ_AVA_COPY?=true to support new NSS lib export fix 
> [Paul]
> * building: Remove no longer needed NSSCERT_CheckCrlTimes() copy [Paul]
> * building: fetch: remove support for ancient LDAP version 2 [Tuomo]
> * building: move whack to separate programs/whack/ directory [Andrew]
> * building: Various Makefile variable cleanups and double link fixes 
> [Andrew]
> * building: Don't check runtime for SElinux/systemd with DESTDIR [Paul]
> * documentation: added oe-letsencrypt-* example configs [Paul]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCgAGBQJY0yfEAAoJEIX/S0OzD8b50ycP/0pP4UGlf3c7rwWmydgI88jF
> 9lNYxZvL7Gy+g69LY7TeqJ/XVVZ/kvX4e0a/AuZeZ+2YWPstjwa13xhTcdDQRiGa
> 6VXWj3fW88alHHxY15MNPdgDFUC2UmvBiy5TGRg+dICRdHtK/ydsKs5kRR7rB/G+
> WA3h9VAOMUyZbkwaR79cTfCfAyy9GFDMeFpd0IFE+wfJ//l3n5QlEuBKB0OyLP4P
> 0LHD3VZprxvpkfIzKR2adkQuITRBze6sXAJrbC+glz8FRvkNYUL+g3WR1gYX9Y/A
> zT6n+S9LT+sZRhIOSYa2uBKOI+pq09UGPG4xZLwfa7qh3CBePZPkPVuzRl7UODwR
> m7rn8rdfuKrIPh7rrwFaWeWnnTNkZbB1QKLyHk95WWDj+blQCR3lECTtZLdFf/eI
> HQGtAo1p57JAyB7vN7soj8RZtjrdq5vn5dJ3E1sMwYI9umc2/YRX+2bL6e9FaYV+
> zIjopM1q0AhqM0Wipgx/xLfFq+ICNN3YPuqReyXdPzZiSaLXtdCSt3YSrH9dO0cg
> v9dQ/3NlK33KljWw8gFWvR9yU85FuUHxu92cREN407h3OsWtr/qlQGvh4ZFc/Xxl
> bnv7LRfzxec3oAWkRjGEUqZPS2slCJ9NqKopVj+dp5HN7Alh8E5cRopTpTeqmoUQ
> EULyZggo6LL4tCuEAZo3
> =P0o7
> -----END PGP SIGNATURE-----
> _______________________________________________
> Swan-announce mailing list
> Swan-announce at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-announce
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list