<div dir="ltr"><div class="gmail_extra">Hi and thanks!</div><div class="gmail_extra"><br></div><div class="gmail_extra">I have successfully upgraded. I was following the git repository at <a href="https://github.com/libreswan/libreswan">https://github.com/libreswan/libreswan</a> however these changes does not seem to be in there right?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Also I am still having issues described in this post <a href="https://lists.libreswan.org/pipermail/swan/2014/000826.html">https://lists.libreswan.org/pipermail/swan/2014/000826.html</a> (i.e. multiple clients cannot connect from the same nat). Is this an outstanding issue still or a configuration problem?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Kind regards</div><div class="gmail_extra">Jonas</div><div class="gmail_extra">
<br><div class="gmail_quote">2015-06-15 15:32 GMT+02:00 Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Hi,<br>
<br>
We have been a 3.14rc2 Release Candidate available for testing.<br>
<br>
As the changes between 3.13 and 3.14 are significant, we would like<br>
to hear back from the community for any potential issues they find,<br>
including the upgrade from 3.13 to 3.14rc2. This upgrade will also<br>
upgrade the NSS database in /etc/ipsec.d from dbm format to sql format,<br>
so please do backup /etc/ipsec.d before attempting an upgrade.<br>
<br>
The (not fully completed) changelog follows below.<br>
<br>
Paul<br>
<br>
* NSS: Major rewrite of PRF / PRFPLUS / integrity functions [Andrew]<br>
* CAVS: Added programs/pluto/cavp for NIST CVAS testing [Andrew]<br>
* IKEv2: authby=null support (draft-ietf-ipsecme-authnull) [Paul/Antony/Hugh]<br>
* IKEv2: leftid=%null support (draft-ietf-ipsecme-authnull) [Paul/Antony/Hugh]<br>
* IKEv2: whack and smc related time out fixes [Antony]<br>
* IKEv2: do not pad IKE messages (fix interop w. InsideSecure) [Paul]<br>
* IKEv2: Fix esp=camellia to use the IKEv2 IANA registry number for ESP [Paul]<br>
* IKEv2: Fix memory leaks in addresspool and child exchange sadb [Antony]<br>
* IKEv2: Support for INVALID_KE DH group re-transmits [Paul/Hugh]<br>
* IKEv2: if applicable, add CERTREQ payload to IKE_SA_INIT response [Antony]<br>
* IKEv1: Don't copy isakmp_sa from received packet [Paul]<br>
* FIPS: Enforce crypto restrictions in FIPS mode (no md5,twofish, etc) [Paul]<br>
* XAUTH: retransmit user/password request in 10s (instead of 30s) [Wolfgang]<br>
* X509: Re-added CRL and OCSP support using NSS [Matt]<br>
* X509: Expired certificate could crash pluto [Wolfgang]<br>
* x509: New options: ocsp_enable= ocsp_strict= ocsp_timeout= [Matt]<br>
ocsp_uri= and ocsp_trust_name=<br>
* pluto: Converted select() loop to use libevent and subsecond timers [Antony]<br>
* pluto: Added retransmit-timeout= and retransmit-interval= [Antony]<br>
* pluto: Greatly reduce time to retransmit from 20s to 0.5s [Antony]<br>
* pluto: Support for IKEv1 and IKEv2 AES_CTR (ike=aes_ctr) [Andrew Cagney]<br>
* pluto: Support for CBC/CTR test vectors using NSS [Andrew Cagney]<br>
* pluto: Remove last weary old X.509 patch code and use NSS instead [Matt]<br>
* pluto: Static IP support using passwd file with addresspool= [Wolfgang]<br>
* pluto: major tidy of labeled ipsec code [Hugh]<br>
* pluto: fixes for uninitialized fields in output struct [Hugh/Paul]<br>
* pluto: audit format and log item update as per audit spec [Paul]<br>
* pluto: simplify and clarify sa_copy_sa and friends [Hugh]<br>
* pluto: small steps improving crypto helpers [Hugh]<br>
* pluto: plutostderrlog= renamed to logfile= [Paul]<br>
* pluto: plutostderrlogtime= renamed to logtime= [Paul]<br>
* pluto: New option logappend=yes|no (default yes) [Paul]<br>
* pluto: Removed obsoleted loopback= support [Paul]<br>
* pluto/rsasigkey: added --seedbits option (and seedbits= option) [Paul]<br>
* pluto: do not terminate_connection() in-flight [Hugh]<br>
* pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu]<br>
* pluto: Use "third best" monotime() on mismatched kernel/glibc headers [Paul]<br>
* pluto: removed bool inbound_only from delete_ipsec_sa() [Paul/Herbert]<br>
* pluto: fix modecfg client/server status display (was swapped) [Herbert]<br>
* pluto: NFLOG support via nflog-all= and nflog= keywords [Paul]<br>
* pluto: Fix bogus "no RSA public key known for '%fromcert'" [Herbert Xu]<br>
* libipsecconf: Improve parser for pipe case (with NM) [Hugh/Lubomir Rintel]<br>
* readwriteconf: improve error handling [Hugh]<br>
* ipsec: ipsec --import does not need to run restorecon [Paul]<br>
* ipsec: --checknss option automatically updates NSS DB to SQL [Matt]<br>
* packaging: Various SPEC file fixes [Tuomo/Kim]<br>
* packaging: Add v6neighbour-hole.conf for Neighbour Discovery hole [Paul]<br>
* initsystems: run ipsec --checknss before start [Tuomo]<br>
* building: overhaul of build system Makefiles (see mk/) [Andrew]<br>
* testing: docker test type support [Antony]<br>
* testing: test case updates/additions [Antony/Paul/Andrew/Matt]<br>
* NETKEY: Increase netlink message buffer for larger SElinux labels [Paul]<br>
* KLIPS: move udp_encap_enable() to not be within spinlock [Wolfgang]<br>
* KLIPS: ipsec_rcv_decap_ipip broken for IPv6 lsb#227 [Frank Schmirler]<br>
* KLIPS: Support for SHA2 via CryptoAPI [Wolfgang]<br>
* KLIPS: Support for sha2_truncbug [Wolfgang]<br>
* whack: New command ipsec whack --purgeocsp [Matt]<br>
* whack: cleanup help text [Tuomo]<br>
* _stackmanager: Don't load blacklisted modules (rhbz#1207689) [Paul/Tuomo]<br>
* _updown: add proxy arp for cases where routing won't work [Tuomo/Wolfgang]<br>
* Bugtracker bugs fixed:<br>
#260: libswan: extra safetey around same_id() when ID_FROMCERT is used [Paul]<br>
_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
</blockquote></div><br></div></div>