[Swan] [Swan-announce] libreswan-3.28 released

Libreswan Team team at libreswan.org
Tue May 21 16:59:29 UTC 2019

Hash: SHA512

The Libreswan Project has released libreswan-3.28

This is a major bugfix release. Please check below for possible
incompatibilities before upgrading.

This is the first release that defaults to not compile support for
KLIPS. You can re-enable KLIPS by compiling with USE_KLIPS=true. But if
you are still using KLIPS, look into migrating to the native XFRM stack
and use VTI / XFRMi intefaces to replace the KLIPS ipsec interfaces. The
MAST variant of the KLIPS stack has been removed (it's only use case was
supporting L2TP/IPsec with transport mode, which can be done with XFRM).
We expect to remove KLIPS entirely during Q3 of 2019.

IKEv2 is now the default instead of IKEv1, if no ikev2= option is set.
Additionally, ikev2= now only takes the values 'yes' or 'no'. The old
values 'propose' and 'insist' now mean 'yes'. The old values 'never'
and 'permit' now mean 'no'.

The default proposal no longer contains SHA1. The ECP groups and
Curve25519 have been added to the default proposal. These changes might
require some configurations to specify or update their ike/esp options.

A few cases where interpretation of IKE packets could lead to a crash
have been fixed. These are not exploitable (assertiation failures)

Connections that were told to remain up via auto=start or 'ipsec auto
- --up' now try harder to re-initialize when these go down. A back-off
mechanism slows down repeated attempts to re-establish the connection.

This releases fixes a number of memory leaks and includes dramatic
speedups for large scale systems (eg remote access VPN setups). A
new caching systems significantly improves certificate handling.
Performance metrics can be be logged using the new plutodebug=cpu-usage
option. Performance while under DDoS attacks are improved as well.

A brief count of connections being up can be retrieved using the new
"ipsec briefstatus" command.

Opportunistic IPsec (mesh or any-to-any) support has been improved,
and a few corner cases involving /32 group entries were fixed.

IKEv2 REDIRECT support (RFC 5685) has been added, and can either
be configured statically using the new keywords redirect-to=,
accept-redirect= and global-redirect= or can be issued dynamically using
the ipsec whack --redirect and --global-redirect-to commands.

For a full changelog, see below changelog for details.

You can download libreswan via https at:


The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug


Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/

Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.

See also https://libreswan.org/

v3.28 (May 20, 2019)
* KLIPS: Disable KLIPS userland support per default [Paul]
          WARNING: Support for KLIPS will be removed in 2019
* MAST: Removed support for MAST variant of KLIPS stack [Paul]
* IKE: Change default connection from IKEv1 to IKEv2 [Paul]
* IKEv2: Don't try to encrypt notify response without SKEYSEED [Andrew/Paul/Hugh]
* IKEv2: ikev2= keyword changed to only accept "yes" or "no" [Paul]
* IKEv2: Support for REDIRECT (RFC 5685) [Vukasin Karadzic/GSoC]
          (new keywords redirect-to, accept-redirect, global-redirect=
           global-redirect-to and new ipsec whack --redirect command
* IKEv2: Initialize daily secret used for DCOOKIES [Paul/Andrew]
* IKEv2: Extend narrowing code to support protoports [Andrew/Paul]
* IKEv2: Fix bug that prevented AH from rekeying [Andrew]
* IKEv2: IKE SA rekey could lead to losing track of Child SA [Andrew/Antony]
* IKEv2: A spurious DH calculation was performed and disgarded [Andrew]
* IKEv2: Support for IPCOMP (compress=yes) [Paul]
* IKEv2: Initialize NAT keepalives check on IKE SA establishment [Paul]
* IKEv2: Only sent NAT keepalives for IKE states (supresses IPsec dups) [Paul]
* IKEv2: Timeout in receiving IKE_AUTH reply would abort connection [Paul]
* IKEv2: Add ECP384, ECP521 and CURVE25519 to default IKEv2 proposal [Paul]
* IKEv2: Remove SHA1 from default IKEv2 proposal [Paul]
* IKEv2: Delete on auto=start conn would not restart (introduced in 3.23) [Paul]
* IKEv2: Compact proposals to prevent fragmentation of IKE_INIT [Andrew]
* IKEv2: Fix opportunistic group policy on /32 groupinstances on delete [Paul]
* IKEv2: Fix opportunistic /32 on non-defaultroute interface [Paul]
* IKEv2: Do not send two requests for IKEv2_INTERNAL_IP4_ADDRESS [Paul]
* IKEv2: Show payload structure of received packet in RFC notation [Andrew]
* IKEv2: Release whack when peer ID is wrong [Paul]
* IKEv2: Hardened PPK code and fixed memory leaks [Hugh]
* IKEv2: Use less resources under DDoS attack to send/process COOKIES [Andrew]
* IKEv2: Delete partial Child SA states that can never establish [Paul]
* IKEv2: Remove SHA1 from default proposals [Paul]
* IKEv2: Add ECP groups and Curve25519 to default proposal [Paul]
* IKEv2: Fix AH rekeying (handle not having encrypter [Paul]
* IKEv2: NAT-T keepalives did not start if only IKEv2 conns were in use [Paul]
* IKEv2: Drop IKE_SA_INIT requests with non-zero SPIr [Andrew]
* IKEv2: On rekey, sometimes a CHILD SA was lost (wrong hash slot) [Andrew]
* IKEv1: Don't leave a dangling pointer after IKE SA delete [Paul/Hugh]
* IKEv1: Only sent NAT keepalives for IPsec states (supresses 1 dup) [Paul]
* IKEv1: Do not activate DPD when peer does not support it [Paul]
* IKEv1: Reject key sizes <= 0 properly instead of crashing [Paul]
* IKEv1: Fix Aggressive Mode interop with Volans Technology [wuwei29]
* IKEv1: Remove bogus "duplicate Delete" check causing Windows 1m outage [Paul]
* IKEv1: If whack socket not there for passwd input, return STF_FATAL [Paul]
* IKEv1: Remove Win98 workaround ignoring IPsec SA deletes in first 60s [Paul]
* X509: Do not keep received CERTs beyond the connection lifetime [Andrew]
* X509: Support for NSS IPsec profiles mbz#1252891 [Kai Engbert/Paul]
* X509: Don't fail validation on critical flag in Key Usage payloads [Paul]
* X509: Fix ocsp-method=get|post to actually skip get when asked) [Stepan Broz]
* X509: Fix various leaks [Hugh, Andrew]
* X509: Cache contents read from NSS database for performance [Andrew]
* pluto: Re-initialize (w backoff) conns that should remain "up" [Paul/Hugh]
* pluto: Use any sent IKE message to reset the DPD/liveness counter [Paul]
* pluto: Add timing information to packet processing [Andrew]
* pluto: Significant performance improvements for conns and certs [Andrew]
* pluto: Simplify state lookups and SPI passing [Andrew]
* pluto: Speed up state lookups by only looking at proper hash chain [Andrew]
* pluto: metric= value should accept values > 255 [Tuomo]
* pluto: New "cpu-usage" plutodebug option displaying timing info [Andrew/Paul]
* pluto: Refuse to load connections with TFC and AH or Transport Mode [Paul]
* pluto: Fix memory leak in CERTREQ sending [Hugh]
* pluto: Revive (with back-off) auto=start conns that receive Delete/Notify [Paul]
* pluto: Show all activated impairments in ipsec status [Andrew]
* pluto: Do not load a connection if its certificate has a problem [Andrew]
* pluto: Handle case when external use deletes certificate from NSS [Andrew]
* pluto: Fix resource leaks [Andrew/Hugh]
* pluto: Improve and extend pluto statistics [Paul]
* pluto: Deleting a connection should bring it down first to run _updown [Paul]
* pluto: Revive auto=start conns that receive Delete/Notify [Paul/Hugh/Andrew]
* pluto: Refuse to load connections with unsupported type=transport [Paul]
* pluto: Refuse to load connections with TFC and AH or Transport Mode [Paul]
* addconn: Fix crash on startup with dnssec-enable=no [Stepan Broz]
* libswan: Only use valid ephemeral ports for libunbound context [Stepan Broz]
* libswan: Do not process DNSSEC root key or trust anchors when disabled [Paul]
* libipsecconf: conn %default content could get overwritten rhbz#1704085 [Hugh]
* libipsecconf: Allow IKEv2 style ike/esp proposals using '+' symbol [Andrew]
   (example: ike=aes_gcm+chacha20_poly1305,aes-sha2+sha1)
* libipsecconf: Updated defaults for filling in proposal elements [Andrew]
   (drop sha1, sha2_512 before sha2_256 for esp, lots of new DH groups)
* libipsecconf: Be more tolerant of duplicate proposals and 'none' DH [Andrew]
* confreadwrite: Fix double host printing, line and bad ikev2=UNKNOWN [Paul]
* ipsec: Add "ipsec traffic" as shorthand for "ipsec trafficstatus" [Paul]
* ipsec: Add "ipsec brief" as shorthand for "ipsec briefcstatus" [Paul]
* _stackmanager: Do not attempt to load PF_KEY (af_key.ko) module [Paul]
* whack: Fix option name to and documentation of ms-dh-downgrade [Tuomo]
* whack: Two new impairments: del-with-notify and bad-ikev2-xchg [Andrew/Paul]
* whack: Fix non operational connection flags / arguments [Daniel Kautz]
* whack: Add new --briefstatus which skips showing all states [Paul]
* auto: Fix replace operation for when changing from subnet= to subnets= [wuwei29]
* verify: Removed broken IP forwarding check [Paul]
* FIPS: X.509 minimum public key size check was rejecting valid keys [Paul]
* FIPS: Disallow AES-XCBC from PRF/INTEG, Allow AES-GMAC [Paul]
* FIPS: Fixup FIPS_IKE_SA_LIFETIME_MAXIMUM to 24h as per NIST SP 800-77 [Paul]
* FIPS: Force IKE maximum lifetime of 24h (default is 1h) [Paul/Vukasin]
* XFRM: Use netlink for last remaining obsolete PF_KEY API API calls [Antony]
* XFRM: Clean up and aadd logging to IPsec SA for nic-offload= [Hugh/Paul]
* XFRM: Set default XFRM_LIFETIME_DEFAULT to 30 (was 300) [Paul]
* libswan: Fix leaks in badly formed secrets/ppk_id [Vukasin Karadzic]
* libswan: Don't crash on mangled PSK or PPK secrets [Vukasin Karadzic]
* initsystems/systemd: Install tmpfiles config when installing unitfile [Tuomo]
* barf: No longer look for netstat, ifconfig and mii-tool [Paul]
* building: Sort all wildcarded object files for build reproducibility [dkg]
* building: Update NSS includes to not use obsoleted header files [Paul/Andrew]
* building: USE_NSS_AVA_COPY ?= false, only needed with NSS < 3.30 [Tuomo]
* building: USE_UNBOUND_EVENT_H_COPY ?= false, enable only for [Tuomo]
             unbound <= 1.7.3 without unbound-event.h
* building: Fix UNBOUND_VERSION testing so result compiles on Fedora 29 [Hugh]
* building: USE_NSS_IPSEC_PROFILE ?= true, Requires nss >= 3.41 [Tuomo]
* building: Support for unbound > 1.8.0 [Antony]
* building: Update XFRM headers [Antony]
* building: Add 'make install-rpm-dep' and 'make install-deb-dep' [Antony]
* testing: Lots of new and improved test cases [lots of people]
* packaging: Add a spec file for RHEL8/CentOS8 [Paul]
* packaging: debian: explicitly set ARCH for reproducibility [dkg]
* packaging: debian updates [Antony/Paul]

Swan-announce mailing list
Swan-announce at lists.libreswan.org

More information about the Swan mailing list