[Swan] [Swan-announce] libreswan-3.25 released

Nick Howitt nick at howitts.co.uk
Thu Jun 28 19:56:02 UTC 2018


Hi Paul,
Thanks for the update. I can see the file in the el7 repo but yum does 
not pick it up.
Regards,
Nick

On 28/06/2018 00:40, The Libreswan Project wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> The Libreswan Project has released libreswan-3.25
>
> This is a major bugfix release with some additional features
>
> New Features:
> Various Opportunistic IPsec related features
> Harden IP triggered OE with new dns-match-id=yes|no
>
> Important bugfixes:
> Various fixes to VTI interface handling
> Various updates to updown handling and routing/proxyarp
> DPD/liveness false positives and false negatives
> FIPS improvements
> CRL handling improvements
>
> Compatibility changes:
> connaddrfamily= should no longer be used, and 6in4 and 4in6 should be
> autodetected. Additionally, hostaddrfamily= and clientaddrfamily= are
> introduced to the set the endpoint or inner address familes.
>
> You can download libreswan via https at:
>
> https: //download.libreswan.org/libreswan-3.25.tar.gz
> https: //download.libreswan.org/libreswan-3.25.tar.gz.asc
>
> The full changelog is available at:
> https: //download.libreswan.org/CHANGES
>
> Please report bugs either via one of the mailinglists or at our bug 
> tracker:
>
> https: //lists.libreswan.org/
> https: //bugs.libreswan.org/
>
> Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at
> https: //download.libreswan.org/binaries/
>
> Binary packages for Fedora and Debian should be available in their 
> respective
> repositories a few days after this release.
>
> See also https://libreswan.org/
>
> v3.25 (June 27, 2018)
> * IKEv2: MOBIKE Initiator support (RFC 4555) [Antony]
> * IKEv2: Support for IKE SA rekeying RFC7296 1.3.2, initiator [Antony]
> * IKEv2: Support for IPsec SA rekeying RFC7296 1.3.3, initiator [Antony]
> * IKEv2: Support for IKE SA reauth=yes|no RFC7296  2.8.3 [Antony]
> * IKEv2: Temporarilly disable Liveness/DPD when MOBIKE kick in [Antony]
> * IKEv2: No longer allow contradicting esp= and pfs= options [Andrew]
> * IKEv2: PPK support for authby=rsasig [Vukasin Karadzic]
> * IKEv2: IANA INTERNAL_DNSSEC_TA allocation added [Paul]
> * IKEv2: Add PPK support to authby=rsasig [Vukasin]
> * IKEv2: Don't calculate NO_PPK_AUTH when the POLICY is INSIST [Vukasin]
> * IKEv2: fix PPK when responder is ppk=no but has a valid PPKID 
> [Paul/Vukasin]
> * IKEv2: Support for protoport based Opportunistic IPsec [Paul]
> * IKEv2: Support multiple authby values (eg authby=rsasig,null) [Paul]
> * IKEv2: Support for AUTHNULL fallback via private use Notify [Vukasin]
> * IKEv2: Fix v3.23 regression causing liveness check to always fail 
> [Tuomo]
> * IKEv2: Support for Microsoft rekey bug: ms-dh-downgrade=yes|no 
> [Andrew/Paul]
> * IKEv2: Allow switching between OE instances with different 
> protoports [Paul]
> * IKEv2: process INITIAL_CONTACT and delete old states from a 
> connection [Paul]
> * IKEv2: Only retransmit fragments on receiving first fragment [Andrew]
> * IKEv2: When sending fragments, also update st_msgid_lastreplied [Paul]
> * IKEv2: Encrypt IKE_AUTH reply when authenticaion failed [Andrew]
> * IKEv2: Fix handling of corrupt encrypted packets [Andrew]
> * IKEv2: Do not call ISAKMP_SA_established() during CREATE_CHILD_SA 
> [Paul]
> * IKEv2: When receiving Initial Contact, delete old IPsec SA's [Paul]
> * IKEv2: Harden IP triggered OE with new dns-match-id=yes|no [AntonyPaul]
> * IKEv2: Add PRF/INTEG support for AES_XCBC / AES_CMAC [Andrew]
> * IKEv2: permit DH=none (as in esp=aes;none,aes;dh22) [Andrew]
> * IKEv1: Prevent crashes with IKEv1 mistakenly allowing narrowing=yes 
> [Paul]
> * IKEv1: DPD was not getting scheduled (bug introduced in 3.23) [Paul]
> * IKEv1: modecfg_send_set() must not ignore failure of modecfg_resp() 
> [Hugh]
> * X509: Extend support for wildcard certs matching remote peer ID 
> [Paul/Hugh]
> * X509: Support PKCS7 for Microsoft interop with intermediate certs 
> [Andrew]
> * X509: Handle CRL fetching in separate thread [Andrew]
> * pluto: Obsoleted connaddrfamily= (fixes 6in4 and 4in6) [Paul]
> * pluto: New hostaddrfamily= and clientaddrfamily= (only needed w DNS) 
> [Paul]
> * pluto: Cleanup of state/md passing code [Andrew]
> * pluto: Allow switching back from wrong instance to template conn [Paul]
> * pluto: disentangle IKEv1 and IKEv2 packet sending code [Andrew]
> * pluto: Allow rightsubnets= without leftsubnet(s)= [Paul]
> * pluto: don't share IP leases for authby=secret (in case of group ID) 
> [Paul]
> * pluto: Parser bug prevented 4in6 config [mhuntxu at github, Daniel 
> M. Weeks]
> * pluto: Find and delete old connection/states with same ID [Paul/Hugh]
> * pluto: traffic log (and updown) line had in/out bytes swapped 
> [Paul/Tuomo]
> * pluto: Fix memory/fd leaks found by Coverity and in cert code 
> [Hugh/Andrew]
> * pluto: Improve SPD longest prefix to priority calculation 
> [Andrew/Paul/Hugh]
> * addconn: Fix auto=route and auto=start processing [Paul]
> * whack/auto: Ensure all status and list commands return no error code 
> [Paul]
> * KLIPS: Replace deprecated blkcipher with skcipher crypto API [Tijs 
> Van Buggenhout]
> * FIPS: Support new NIST ACVP protocol with cavp tool cmdline args 
> [Andrew]
> * FIPS: Don't attempt HMAC integrity test on rsasigkey (rhbz#1544143) 
> [Paul]
> * FIPS: Don't allow RSA keys < 3072 [Matt/Paul]
> * FIPS: Enable our PRF aes_xcbc wrapper on NSS hash code in FIPS mode 
> [Andrew]
> * FIPS: Raise minimum RSA key length allowed to 3072 [Paul]
> * CAVP: Add -<acvp-key> <acvp-value> and -json(output) options to CAVP 
> [Andrew]
> * portexcludes: new command ipsec portexcludes (see portexcludes.conf) 
> [Paul]
> * _updown.netkey: fix deleting routes when half routes are used [Tuomo]
> * _updown.netkey: don't delete VTI interfaces until we can refcount 
> [Tuomo]
> * _updown.netkey: fix unroute: "need at least a destination address" 
> [Tuomo]
> * _updown.netkey: don't do proxyarp for direct host-host tunnels [Tuomo]
> * _updown.netkey: force routing if we don't have route to remote 
> network [Tuomo]
> * _unbound-hook: Pass all IPSECKEY's to pluto, not just the first [Paul]
> * contrib/python-swan: module to check if trafic get be encrypted [Kim]
> * contrib/c-swan: example code to check if trafic get be encrypted [Kim]
> * building: added USE_GLIBC_KERN_FLIP_HEADERS (default off) [Paul]
> * building: when ElectricFence enabled, add extra system calls to 
> seccomp [Andrew]
> * ipsec: add checknss option --settrusts to reset CA trusts in nss db 
> [Tuomo]
> * _updown.netkey: force routing when necessary for IPsec to work [Tuomo]
> * _updown.netkey: do not proxyarp for host-host tunnels [Tuomo]
> * look: sort XFRM output by priority [Andrew]
> * Bugtracker bugs fixed:
>    #311: segfault in crl fetching git master f5b17dc [Andrew, Tuomo]
>    #314: IPv6 default route is deleted by mistake
>    #318: vti interface gets down on previous initiator if roles switch 
> [Tuomo]
>    #320: nsspassword file location is half implemented
>    #328: Addcon crash on duplicit "left" or "leftid" keys in conn 
> config [Stepan Broz]
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJbNCBQAAoJEIX/S0OzD8b5bmAP/RMY8hoJXpE7u115CMP3MEkg
> ARsBDgiJ3TNbKYbFdGqu/GieLjunnF8QnRBUFnFypzzmxv3YJng4P+3bPKLZsgVl
> vdTqFj4CHq0NeCmgYpU79pTU9Qs5Zpz6svCEnk655wTNvSN3t/BESw/HHRL5ywBN
> SLL86RsUcKmwyL2XYTUekH6qcaYEi0Q0R9AL0fPk2pl+Yr7UxJOxG5tuMIVve7dp
> 4toP+kUSrwLqNPX4+rZQJ9KGjIMkfruPXuw6tgth8NGN17FkPE9l5QvLLmQkHyzf
> DUqkG6lEUccY2s/ObWhYBi0omhU9C5pgznwly9XCL2M1ktdsYE6StmdFQwcljQCI
> hu2OzlBPMoALr+IVlH/IkijfpBqIsOgWmYkQTUpYIj+rpk+2HlCYFSC5yoba8qjI
> THuqewG9CD1obNdHLbvImGLRJMF7MZ1erzYBry6ynA6KoeHAHdjCNsMfA6Zsc+F5
> VheIoY7dL8k/x3PUmOvaEvFcsr04RPxbTms1jjPBt0stLauuz20nbT8RLzKVqJV7
> sTRfTUMZ57Xz0R6oyplVj4JcZzfUEwSZubq5d6RTbgG/Pt+hjDFUk8fPESZVvqVg
> qeBIN2nFnvEhwU0OJZXDXgWjbJw8K0dF5VrsKpS9X41QSPG8gobEMUM06D+G7WBn
> mqFudY9Z4ee3cs1CZwVM
> =/8E4
> -----END PGP SIGNATURE-----
> _______________________________________________
> Swan-announce mailing list
> Swan-announce at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-announce
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan



More information about the Swan mailing list