[Swan] [Swan-announce] Libreswan 3.21 released

Paul Wouters paul at nohats.ca
Thu Aug 10 19:49:12 UTC 2017 

Recompile unbound with libevent support.

Sent from my iPhone

> On Aug 10, 2017, at 15:46, Nick Howitt <nick at howitts.co.uk> wrote:
> 
> Hi Paul,
> 
> Libreswan updated last night and now fails to start:
> 
> Aug 10 20:36:49 server addconn: /usr/libexec/ipsec/addconn: symbol lookup error: /usr/libexec/ipsec/addconn: undefined symbol: ub_ctx_create_event
> Aug 10 20:36:49 server systemd: ipsec.service: control process exited, code=exited status=127
> Aug 10 20:36:49 server systemd: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
> Aug 10 20:36:49 server systemd: Unit ipsec.service entered failed state.
> Aug 10 20:36:49 server systemd: ipsec.service failed.
> 
> Any clues?
> 
> Regards,
> 
> Nick
> 
>> On 10/08/2017 02:34, The Libreswan Project wrote:
>> 
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>> 
>> 
>> The Libreswan Project has released libreswan-3.21
>> 
>> This is a bugfix and feature release.
>> 
>> New Features:
>> 
>> This release features Opportunistic IPsec using DNSSEC lookups of
>> IPSECKEY records. It also adds support for the DNSSEC root key rollover
>> that is currently happening with support for loading new DNSSEC
>> trust anchors from disk. If using DNSSECi with libreswan, please
>> upgrade to this version before October 10, 2017.
>> Support for hardware offloading for certain NIC cards (such as Mellanox)
>> was added. PFS support was added to the CREATE_CHILD_SA Exchange.
>> 
>> Important bugfixes:
>> 
>> The ID handling code is now more strict when using certificates. Any
>> ID configured via leftid= or rightid= MUST either be the certificate
>> DN or be a SubjectAltName (SAN) on the certificate.
>> A race condition in the threading code was fixed that could cause pluto
>> to crash on loaded systems that use IKEv1 XAUTH or IKEv2 PAM authentication.
>> A crasher in FIPS mode when input to hashing algorithms was too weak was fixed.
>> 
>> Compatiblity changes:
>> 
>> The above mentioned stricter ID handling can cause existing connections
>> to fail if a SubjectAltName is missing from a certificate whose ID is
>> specified specified in the connection.
>> 
>> You can download libreswan via https at:
>> 
>> https: //download.libreswan.org/libreswan-3.21.tar.gz
>> https: //download.libreswan.org/libreswan-3.21.tar.gz.asc
>> 
>> The full changelog is available at:
>> https: //download.libreswan.org/CHANGES
>> 
>> Please report bugs either via one of the mailinglists or at our bug tracker:
>> 
>> https: //lists.libreswan.org/
>> https: //bugs.libreswan.org/
>> 
>> Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at
>> https: //download.libreswan.org/binaries/
>> 
>> Binary packages for Fedora and Debian should be available in their respective
>> repositories a few days after this release.
>> 
>> See also https://libreswan.org/
>> 
>> v3.21 (August 9, 2017)
>> * FIPS: Don't crash on too weak PSK's in FIPS mode, warn for non-FIPS [Andrew]
>> * FIPS: rsasigkey: Use modulus F4, not 3 (FIPS 186-4, section B.3.1) [Paul]
>> * pluto: Support for "idXXX" esp/ike transform IDs removed [Andrew,Paul]
>> * pluto: Do not return whack error when termining an alias connection [Paul]
>> * pluto: Remove IKE policy bits on passthrough conns [Paul]
>> * pluto: Minor memory leak fixes [Paul]
>> * pluto: Fix memory leak due to addresspool reference count error [Antony]
>> * pluto: Re-add support for ipsec whack --listevents [Antony]
>> * pluto: Cleanup listed events on shutdown to please leak-detective [Antony]
>> * pluto: Perform stricter SubjectAltName checks on configured ID's [Paul]
>> * pluto: Handle *subnets in --route and --unroute via whack [Mika/Tuomo]
>> * pluto: Unify IKEv1 XAUTH and IKEv2 PAM threading code [Andrew]
>> * pluto: Use pthread_cancel() (not SIGINT, conflicts with debuggers) [Andrew]
>> * pluto: Fix memory corruption with XAUTH/PAM threads [Andrew/Hugh]
>> * pluto: Fix resource leak processing XAUTH password authentication [Andrew]
>> * pluto: Fix warnings generated by gcc 7.1 [Lubomir Rintel]
>> * pluto: NIC offload support nic-offload=auto|yes|no (eg mellanox) [Ilan Tayari]
>> * pluto: Use common function in ikev1 / ikev2 for dpd/liveness actions [Antony]
>> * NSS: Try harder finding private keys that reside on hardware tokens [Andrew]
>> * IKEv2: Opportunistic IPsec support for IPSECKEY records [Antony]
>> * IKEv2: New dnssec-enable=yes|no, dnssec-rootkey-file=, dnssec-anchors= [Paul]
>> * IKEv2: If CREATE_CHILD_SA superseded retransmit, drop it [Antony]
>> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.1) [Antony]
>> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.2 responder) [Antony]
>> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.3 responder) [Antony]
>> * IKEv2: Flush ESP/AH proposals on the initiator. It could be stale [Antony]
>> * IKEv2: State Machine (svm) updates to simplify CREATE_CHILD_SA [Antony]
>> * IKEv2: DH role is based on message role not Original Initiator role [Antony]
>> * IKEv2: Return CHILD_SA_NOT_FOUND when appropriate [Antony]
>> * IKEv2: After an IKE rekey, rehash inherited Child SA to new parent [Antony]
>> * IKEv2: Rekeying must update SPIs when inheriting a Child SA [Antony]
>> * IKEv2: Decrypt and verify the paylods before calling processor [Andrew]
>> * IKEv2: Fragmentation code cleanup [Andrew]
>> * IKEv2: Drop CREATE_CHILD_SA message when no IKE state found [Antony]
>> * IKEv2: Do not send a new delete request for the same Child SA [Antony]
>> * IKEv2: During Child SA rekey, abort when ESP proposals mismatch [Antony]
>> * IKEv2: OE client check should take responders behind NAT into account [Paul]
>> * IKEv2: Improved dpdaction=hold processing [Antony]
>> * IKEv1: Only initiate and create IKE SA for appropriate dpdaction [Antony]
>> * IKEv1: Re-add SHA2_256 (prefered) and SHA2_512 to IKEv1 defaults [Andrew]
>> * IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads [Paul]
>> * IKEv1: Multiple CISCO_SPLIT_INC's cause duplicate spd_routes [Oleg Rosowiecki]
>> * X509: Improve some failure logging [Paul]
>> * XFRM: Use proper alignment for IPv4 AH as per RFC4302 Section 3.3.3.2.1 [Paul]
>> * XFRM: Update including system or local copy of xfrm.h [Paul/Antony]
>> * XFRM: Remove no longer needed {rt}netlink.h copies [Paul]
>> * KLIPS: cryptoapi: switch from hash to ahash [Richard]
>> * KLIPS: Add traffic accounting support [Richard/Paul]
>> * KLIPS: Support for linux 4.11 [Paul]
>> * lib: Move the alg_info lookup-by-name code to libswan [Andrew]
>> * lib: Move all conditionally compiled ike_alg*.c files to libswan.a [Andrew]
>> * addconn: Replace ttoaddr() with calls supporting DNSSEC [Paul/Antony]
>> * libswan: Algo code cleanup [Andrew]
>> * libipsecconf: Load specified RSA keys irrespective of policy [Paul]
>> * libipsecconf/pluto: Be more strict in authby= & type= combinations [Paul]
>> * libipsecconf: Fail to load connections with unsatisfied auto= clause [Hugh]
>> * parser: Numerous algorithm parser fixes, eg. esp=aes_ccm_8_128-null [Andrew]
>> * algparse: (Experimental) modified to run algorithm parser stand-alone [Andrew]
>> * newhostkey: Actually append to secrets as the warning claims it will [Paul]
>> * _updown.netkey: Fix syntax failure when PLUTO_MY_SOURCEIP is not set [Tuomo]
>> * _updown.netkey,klips: Fix use of printf when updating resolv.conf [Tuomo]
>> * _updown.netkey: Remove wrong use of PLUTO_PEER_CLIENT netmask [Tuomo]
>> * _updown: Add MAX_CIDR variable for host netmask [Tuomo]
>> * ipsec import: Trust bits correction did not always trigger [Tuomo]
>> * building: Convert lib/ to use mk/library.mk [Andrew]
>> * building: Work around rhel-6 gcc [Andrew]
>> * building: Add copy unbound-event.h work around broken unbound installs [Paul]
>> * packaging: Better split rpm and make variables [Paul]
>> * packaging: Updates for new requirements for ldns, unbound-devel [Paul]
>> * testing: Add DNSSEC, Opportunistic IPsec testcases, fixups [Multiple people]
>> * contrib: Munin plugin for libreswan [Kim/Paul]
>> -----BEGIN PGP SIGNATURE-----
>> 
>> iQIcBAEBCgAGBQJZi7foAAoJEIX/S0OzD8b5dzQP/jLS3XCt1LYZ4O74zbeli97X
>> XoBLpooCNDxLHdgtxCfd7qY1v4aBCmXOyNheuWbloWUPVUKlUlpXdZrulM2Ny2TO
>> IkaIjXKM5EdMJdCds6k8LzFaMGMYNAu4v56QFfnfKqOy2UKjNu5uhHan4A0n9jgK
>> ORkNaoiLjqmhRXdCHfTGPxs4U5JbpBsezjq49tU3m4tyLAixr4YbJB5/kLc+/BOI
>> gpkZ7cuH5PbC3Rv/ywpkhckSiUcZEC7A4//rXahM4QzzWXsi7RhO6mOG2oU+s6lU
>> NSKoDqj2Km+NMoQuXlbEfPLPESvUU8buWQhLlItekvhMP1oWftl1/vzoQRtYp6ZS
>> MTcgS6vmkCr08ZDejDdfdR2Cfb8D+/MBy2f0fk7lvkii3NXmoIm2TQhwHjXxlPob
>> 1QqVyv/HVw6HkDCG3K9RHJcqSOvbcXNafv0XyHSkwMlnD/60wnMog9OuzGhPKtVL
>> 26oFj4VeBO0LkiuDcYIf3LAblmsRnaxtNFBdat/L2dlBR9eKYXLKYG9LGai0iH+t
>> 76TLvuH68f5PZHaxcjYOO5FN6CNFOmHYsyAVsU7smNpRWWJJiw8sSiJju5Sz/Hic
>> JNSbw9zFUcIcxNPNVrISlhvTVd4zpld/RaPytHBP/+tFI5gxFBEdSxooqPURVyHw
>> nDCCqZyGAnX1jLZNqpHY
>> =/JN4
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Swan-announce mailing list
>> Swan-announce at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan-announce
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list