strongswan

SHA256

Go to file

Mohd Saquib 73a1c9e320 Accepting request 1092621 from home:msaquib:branches:network:vpn - Update to release 5.9.11 * A long-standing deadlock in the vici plugin has been fixed that could get triggered when multiple connections were initiated/terminated concurrently and control-log events were raised by the watcher_t component (#566). * In compliance with RFC 5280, CRLs now have to be signed by a certificate that either encodes the cRLSign keyUsage bit (even if it is a CA certificate), or is a CA certificate without a keyUsage extension. strongSwan encodes a keyUsage extension with cRLSign bit set in all CA certificates since 13 years. And before that it didn't encode the extension, so these certificates would also be accepted as CRL issuer in case they are still valid (7dc82de). * Support for optional CA labels in EST server URIs (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>) was added to the pki --est and pki --estca commands (#1614). * The pkcs7 and openssl plugins now support CMS-style signatures in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA signatures (#1615). * Fixed a regression in the server implementation of EAP-TLS when using TLS 1.2 or earlier that was introduced with 5.9.10 (#1613, 3d0d3f5). * The EAP-TLS client does now enforce that the TLS handshake is complete when using TLS 1.2 or earlier. It was possible to shortcut it by sending an early EAP-Success message. Note that this isn't a security issue as the server is authenticated at that point (db87087). * On Linux, the kernel-libipsec plugin can now optionally handle ESP packets without UDP encapsulation (uses RAW sockets, disabled by default, e3cb756). The plugin and libipsec also gained support OBS-URL: https://build.opensuse.org/request/show/1092621 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=149		2023-06-12 15:41:55 +00:00
.gitattributes	OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1	2007-12-13 03:49:24 +00:00
.gitignore	OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1	2007-12-13 03:49:24 +00:00
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch	Accepting request 513652 from home:ndas:branches:network:vpn	2017-08-01 07:21:05 +00:00
fips-enforce.conf	- Added generation of fips hmac hash files using fipshmac utility	2014-11-21 12:01:59 +00:00
fipscheck.sh.in	- Added generation of fips hmac hash files using fipshmac utility	2014-11-21 12:01:59 +00:00
harden_strongswan.service.patch	Accepting request 960489 from home:msmeissn:branches:network:vpn	2022-03-09 18:30:05 +00:00
README.SUSE	- Added generation of fips hmac hash files using fipshmac utility	2014-11-21 12:01:59 +00:00
strongswan_fipscheck.patch	Accepting request 513652 from home:ndas:branches:network:vpn	2017-08-01 07:21:05 +00:00
strongswan_ipsec_service.patch	osc copypac from project:openSUSE:Factory package:strongswan revision:70	2020-01-30 15:50:32 +00:00
strongswan-5.9.11.tar.bz2	Accepting request 1092621 from home:msaquib:branches:network:vpn	2023-06-12 15:41:55 +00:00
strongswan-5.9.11.tar.bz2.sig	Accepting request 1092621 from home:msaquib:branches:network:vpn	2023-06-12 15:41:55 +00:00
strongswan-rpmlintrc	osc copypac from project:openSUSE:Factory package:strongswan revision:70	2020-01-30 15:50:32 +00:00
strongswan.changes	Accepting request 1092621 from home:msaquib:branches:network:vpn	2023-06-12 15:41:55 +00:00
strongswan.init.in	- Fixed rpmlint runlevel & fsf warnings, updated rpmlintrc	2012-02-15 13:48:10 +00:00
strongswan.keyring	Accepting request 143934 from home:sbrabec:gpg-offline-verify	2012-12-04 10:25:06 +00:00
strongswan.spec	Accepting request 1092621 from home:msaquib:branches:network:vpn	2023-06-12 15:41:55 +00:00

README.SUSE

Dear Customer,

please note, that the strongswan release 4.5 changes the keyexchange mode
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
"[...]
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
come for IKEv1 to go into retirement and to cede its place to the much more
robust, powerful and versatile IKEv2 protocol!
[...]"

This requires adoption of either the "conn %default" or all other IKEv1
"conn" sections in the /etc/ipsec.conf to use explicit:

	keyexchange=ikev1

The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.


The strongswan package does not provide any files except of this README,
but triggers the installation of the charon daemon and the "traditional"
strongswan-ipsec package providing the "ipsec" script and service.
The ipsec.service is an alias link to the "strongswan.service" systemd
service unit and created by "systemctl enable strongswan.service".


There is a new strongswan-nm package with a NetworkManager specific charon-nm
binary controlling the charon daemon through D-Bus and designed to work using
the NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the IKEv2
charon daemon and plugins only. 


The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
which disables all non-openssl algorithm implementations.

When fips operation mode is enabled in the kernel using the fips=1 boot
parameter, the strongswan fips checks are executed in front of any start
action of the "ipsec" script provided by the "strongswan-ipsec" package
and a verification problem causes a failure as required by fips-140-2.
Further, it is not required to enable the fips_mode in the openssl plugin
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
it automatically as needed.

The "ipsec _fipscheck" command allows to execute the fips checks manually
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
e.g. for testing purposes.


Have a lot of fun...