[Swan] [Swan-announce] Libreswan 3.21 released

Nick Howitt nick at howitts.co.uk
Thu Aug 10 19:46:09 UTC 2017


Hi Paul,

Libreswan updated last night and now fails to start:

Aug 10 20:36:49 server addconn: /usr/libexec/ipsec/addconn: symbol 
lookup error: /usr/libexec/ipsec/addconn: undefined symbol: 
ub_ctx_create_event
Aug 10 20:36:49 server systemd: ipsec.service: control process exited, 
code=exited status=127
Aug 10 20:36:49 server systemd: Failed to start Internet Key Exchange 
(IKE) Protocol Daemon for IPsec.
Aug 10 20:36:49 server systemd: Unit ipsec.service entered failed state.
Aug 10 20:36:49 server systemd: ipsec.service failed.

Any clues?

Regards,

Nick

On 10/08/2017 02:34, The Libreswan Project wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> The Libreswan Project has released libreswan-3.21
>
> This is a bugfix and feature release.
>
> New Features:
>
> This release features Opportunistic IPsec using DNSSEC lookups of
> IPSECKEY records. It also adds support for the DNSSEC root key rollover
> that is currently happening with support for loading new DNSSEC
> trust anchors from disk. If using DNSSECi with libreswan, please
> upgrade to this version before October 10, 2017.
> Support for hardware offloading for certain NIC cards (such as Mellanox)
> was added. PFS support was added to the CREATE_CHILD_SA Exchange.
>
> Important bugfixes:
>
> The ID handling code is now more strict when using certificates. Any
> ID configured via leftid= or rightid= MUST either be the certificate
> DN or be a SubjectAltName (SAN) on the certificate.
> A race condition in the threading code was fixed that could cause pluto
> to crash on loaded systems that use IKEv1 XAUTH or IKEv2 PAM 
> authentication.
> A crasher in FIPS mode when input to hashing algorithms was too weak 
> was fixed.
>
> Compatiblity changes:
>
> The above mentioned stricter ID handling can cause existing connections
> to fail if a SubjectAltName is missing from a certificate whose ID is
> specified specified in the connection.
>
> You can download libreswan via https at:
>
> https: //download.libreswan.org/libreswan-3.21.tar.gz
> https: //download.libreswan.org/libreswan-3.21.tar.gz.asc
>
> The full changelog is available at:
> https: //download.libreswan.org/CHANGES
>
> Please report bugs either via one of the mailinglists or at our bug 
> tracker:
>
> https: //lists.libreswan.org/
> https: //bugs.libreswan.org/
>
> Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at
> https: //download.libreswan.org/binaries/
>
> Binary packages for Fedora and Debian should be available in their 
> respective
> repositories a few days after this release.
>
> See also https://libreswan.org/
>
> v3.21 (August 9, 2017)
> * FIPS: Don't crash on too weak PSK's in FIPS mode, warn for non-FIPS 
> [Andrew]
> * FIPS: rsasigkey: Use modulus F4, not 3 (FIPS 186-4, section B.3.1) 
> [Paul]
> * pluto: Support for "idXXX" esp/ike transform IDs removed [Andrew,Paul]
> * pluto: Do not return whack error when termining an alias connection 
> [Paul]
> * pluto: Remove IKE policy bits on passthrough conns [Paul]
> * pluto: Minor memory leak fixes [Paul]
> * pluto: Fix memory leak due to addresspool reference count error 
> [Antony]
> * pluto: Re-add support for ipsec whack --listevents [Antony]
> * pluto: Cleanup listed events on shutdown to please leak-detective 
> [Antony]
> * pluto: Perform stricter SubjectAltName checks on configured ID's [Paul]
> * pluto: Handle *subnets in --route and --unroute via whack [Mika/Tuomo]
> * pluto: Unify IKEv1 XAUTH and IKEv2 PAM threading code [Andrew]
> * pluto: Use pthread_cancel() (not SIGINT, conflicts with debuggers) 
> [Andrew]
> * pluto: Fix memory corruption with XAUTH/PAM threads [Andrew/Hugh]
> * pluto: Fix resource leak processing XAUTH password authentication 
> [Andrew]
> * pluto: Fix warnings generated by gcc 7.1 [Lubomir Rintel]
> * pluto: NIC offload support nic-offload=auto|yes|no (eg mellanox) 
> [Ilan Tayari]
> * pluto: Use common function in ikev1 / ikev2 for dpd/liveness actions 
> [Antony]
> * NSS: Try harder finding private keys that reside on hardware tokens 
> [Andrew]
> * IKEv2: Opportunistic IPsec support for IPSECKEY records [Antony]
> * IKEv2: New dnssec-enable=yes|no, dnssec-rootkey-file=, 
> dnssec-anchors= [Paul]
> * IKEv2: If CREATE_CHILD_SA superseded retransmit, drop it [Antony]
> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.1) [Antony]
> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.2 responder) 
> [Antony]
> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.3 responder) 
> [Antony]
> * IKEv2: Flush ESP/AH proposals on the initiator. It could be stale 
> [Antony]
> * IKEv2: State Machine (svm) updates to simplify CREATE_CHILD_SA [Antony]
> * IKEv2: DH role is based on message role not Original Initiator role 
> [Antony]
> * IKEv2: Return CHILD_SA_NOT_FOUND when appropriate [Antony]
> * IKEv2: After an IKE rekey, rehash inherited Child SA to new parent 
> [Antony]
> * IKEv2: Rekeying must update SPIs when inheriting a Child SA [Antony]
> * IKEv2: Decrypt and verify the paylods before calling processor [Andrew]
> * IKEv2: Fragmentation code cleanup [Andrew]
> * IKEv2: Drop CREATE_CHILD_SA message when no IKE state found [Antony]
> * IKEv2: Do not send a new delete request for the same Child SA [Antony]
> * IKEv2: During Child SA rekey, abort when ESP proposals mismatch 
> [Antony]
> * IKEv2: OE client check should take responders behind NAT into 
> account [Paul]
> * IKEv2: Improved dpdaction=hold processing [Antony]
> * IKEv1: Only initiate and create IKE SA for appropriate dpdaction 
> [Antony]
> * IKEv1: Re-add SHA2_256 (prefered) and SHA2_512 to IKEv1 defaults 
> [Andrew]
> * IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads [Paul]
> * IKEv1: Multiple CISCO_SPLIT_INC's cause duplicate spd_routes [Oleg 
> Rosowiecki]
> * X509: Improve some failure logging [Paul]
> * XFRM: Use proper alignment for IPv4 AH as per RFC4302 Section 
> 3.3.3.2.1 [Paul]
> * XFRM: Update including system or local copy of xfrm.h [Paul/Antony]
> * XFRM: Remove no longer needed {rt}netlink.h copies [Paul]
> * KLIPS: cryptoapi: switch from hash to ahash [Richard]
> * KLIPS: Add traffic accounting support [Richard/Paul]
> * KLIPS: Support for linux 4.11 [Paul]
> * lib: Move the alg_info lookup-by-name code to libswan [Andrew]
> * lib: Move all conditionally compiled ike_alg*.c files to libswan.a 
> [Andrew]
> * addconn: Replace ttoaddr() with calls supporting DNSSEC [Paul/Antony]
> * libswan: Algo code cleanup [Andrew]
> * libipsecconf: Load specified RSA keys irrespective of policy [Paul]
> * libipsecconf/pluto: Be more strict in authby= & type= combinations 
> [Paul]
> * libipsecconf: Fail to load connections with unsatisfied auto= clause 
> [Hugh]
> * parser: Numerous algorithm parser fixes, eg. esp=aes_ccm_8_128-null 
> [Andrew]
> * algparse: (Experimental) modified to run algorithm parser 
> stand-alone [Andrew]
> * newhostkey: Actually append to secrets as the warning claims it will 
> [Paul]
> * _updown.netkey: Fix syntax failure when PLUTO_MY_SOURCEIP is not set 
> [Tuomo]
> * _updown.netkey,klips: Fix use of printf when updating resolv.conf 
> [Tuomo]
> * _updown.netkey: Remove wrong use of PLUTO_PEER_CLIENT netmask [Tuomo]
> * _updown: Add MAX_CIDR variable for host netmask [Tuomo]
> * ipsec import: Trust bits correction did not always trigger [Tuomo]
> * building: Convert lib/ to use mk/library.mk [Andrew]
> * building: Work around rhel-6 gcc [Andrew]
> * building: Add copy unbound-event.h work around broken unbound 
> installs [Paul]
> * packaging: Better split rpm and make variables [Paul]
> * packaging: Updates for new requirements for ldns, unbound-devel [Paul]
> * testing: Add DNSSEC, Opportunistic IPsec testcases, fixups [Multiple 
> people]
> * contrib: Munin plugin for libreswan [Kim/Paul]
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJZi7foAAoJEIX/S0OzD8b5dzQP/jLS3XCt1LYZ4O74zbeli97X
> XoBLpooCNDxLHdgtxCfd7qY1v4aBCmXOyNheuWbloWUPVUKlUlpXdZrulM2Ny2TO
> IkaIjXKM5EdMJdCds6k8LzFaMGMYNAu4v56QFfnfKqOy2UKjNu5uhHan4A0n9jgK
> ORkNaoiLjqmhRXdCHfTGPxs4U5JbpBsezjq49tU3m4tyLAixr4YbJB5/kLc+/BOI
> gpkZ7cuH5PbC3Rv/ywpkhckSiUcZEC7A4//rXahM4QzzWXsi7RhO6mOG2oU+s6lU
> NSKoDqj2Km+NMoQuXlbEfPLPESvUU8buWQhLlItekvhMP1oWftl1/vzoQRtYp6ZS
> MTcgS6vmkCr08ZDejDdfdR2Cfb8D+/MBy2f0fk7lvkii3NXmoIm2TQhwHjXxlPob
> 1QqVyv/HVw6HkDCG3K9RHJcqSOvbcXNafv0XyHSkwMlnD/60wnMog9OuzGhPKtVL
> 26oFj4VeBO0LkiuDcYIf3LAblmsRnaxtNFBdat/L2dlBR9eKYXLKYG9LGai0iH+t
> 76TLvuH68f5PZHaxcjYOO5FN6CNFOmHYsyAVsU7smNpRWWJJiw8sSiJju5Sz/Hic
> JNSbw9zFUcIcxNPNVrISlhvTVd4zpld/RaPytHBP/+tFI5gxFBEdSxooqPURVyHw
> nDCCqZyGAnX1jLZNqpHY
> =/JN4
> -----END PGP SIGNATURE-----
> _______________________________________________
> Swan-announce mailing list
> Swan-announce at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-announce
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan



More information about the Swan mailing list